AWS Certified Solutions Architect Associate 
By Stephane Maarek 


Disclaimer: These slides are copyrighted and 
strictly for personal use only 


e This document is reserved for people enrolled into the 
Ultimate AWS Solutions Architect Associate Course 


“ Please do not share this document, It Is intended for personal use and exam 
preparation only, thank you. 


* If you've obtained these slides for free on a website that is not the courses 


website, please reach out to piracy@datacumulus.com. Thanks! 


“ Best of luck for the exam and happy learning! 
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Welcome! Were starting in 5 minutes 


(3 


e Were going to prepare for the Solutions Architect exam - SAA-C03 
* It's a challenging certification, so this course will be long and interesting 
e Basic || knowledge is necessary 


* This course contains videos... 
* From the Cloud Practitioner, Developer and SysOps course - shared knowledge 
e Specific to the Solutions Architect exam - exciting ones on architecture! 


* We will cover over 30 AWS services 
e AWS / IT Beginners welcome! (but take your time, it's not a race) 
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My SAA-C03 certification: 26.176 


AWS Certified Solutions Architect - Associate 


Notice of Exam Results 


Candidate: Stephane MAAREK Exam Date: Sep 02, 2022 
Candidate ID: AE —- Registration Number ARE 
Candidate Score: 961 Pass/Fail: PASS 
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About me 


e [m Stephane! 

e Worked as in IT consultant and AWS Solutions Architect, Developer & SysOps 
e Worked with AVVS many years: built websites, apps, streaming platforms 

e Veteran Instructor on AWS (Certifications, CloudFormation, Lambda, EC2...) 


e You can find me on 
e GitHub: https://github.com/simplesteph 
e LinkedIn: https//www.linkedin.com/in/stephanemaarek 
e Medium: https://medium.com/@stephane.maarek 
e Twitter: https//twittercom/stephanemaarek 


* 4.7 Instructor Rating 
MN 473,642 Reviews 
æa 1,553,489 Students 
© 39 Courses 
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What's AWS’? awWs 


wee) 


e AWS (Amazon Web Services) is a Cloud Provider 


* [hey provide you with servers and services that you can use on 
demand and scale easily 


e AWS has revolutionized IT over time 


* AWS powers some of the biggest websites in the world 
* Amazon.com 
* Netflix 
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What well learn in this course (and more!) 


Amazon EC2 Amazon ECR Amazon ECS AWS Elastic AWS Auto Scaling IAM AWS KMS Amazon 
Beanstalk Lambda S3 


EE E EE 


Amazon Amazon Amazon Amazon Amazon Amazon Amazon AWS Step Functions 
SES RDS Aurora DynamoDB ElastiCache sas SNS 
Amazon AWS AWS Amazon API Elastic Load Amazon Amazon Amazon 
CloudWatch CloudFormation CloudTrail Gateway Balancing CloudFront Kinesis Route 53 
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Navigating the AVVS spaghetti bowl 
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Getting started with AWS 
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AWS Cloud History 


2002: 2004: 2007: 
Internally Launched publicly Launched in 
launched with SQS Europe re: Dropbox 


airbnb 


2003: 2006: 
Amazon infrastructure is Re-launched 
one of their core strength. ^ publicly with 
Idea to market SOS, S3 & EC2 


o»'snjnuin2e3ep"MMM »[oJee|A eueudeys © NOILRSIHISIG 803 LON 


UJ 


© Stephane Maarek 


AWS Cloud Number Facts 


Figure 1. Magic Quadrant for Cloud Infrastructure as a Service, Worldwide 


e |n 2019, AWS had $35.02 
billlon in annual revenue 

e AWS accounts for 47% of the 
market in 2019 (Microsoft is 


2nd with 2296) 


e Pioneer and Leader of the 
ANNS Cloud Market for the 
9th consecutive year 


e Over 1,000,000 active users 


— 


Alibaba Cloud @ 
Oracle @ 


IBM @ 


NICHE PLAYERS VISIONARIES 


COMPLETENESS OF VISION —> As of July 2019 © Gartner, Inc 


ABILITY TO EXECUTE 


Source: Gartner (July 2019) 


Gartner Magic Quadrant 
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ANNS Cloud Use Cases 


* AWS enables you to build sophisticated, scalable applications 
“ Applicable to a diverse set of Industries 


* Use cases include 
* Enterprise ||, Backup & Storage, Big Data analytics 
* Website hosting, Mobile & Social Apps 
* Gaming 


(Yi Qui wm NN 
La 
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AWS Global Infrastructure 


e AWS Regions 


aws 
e AWS Availability Zones ER 
D ! DPI Leet 


e AWS Data Centers E NG 


* AWS Edge Locations / 
Points of Presence 


e https://infrastructure.aws/ 
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AWS Regions 


AWS has Regions all around the world 


Names can be us-east- |, eu-west-3... 


A region is a cluster of data centers 


Most AWS services are region-scoped 


So De o 9 op 


O Regions 
O Coming Soon 


https://aws.amazon.com/about-aws/global-infrastructure 
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| US East (N. Virginia) us-east-1 


US East (Ohio) us-east-2 
US West (N. California) us-west-1 


US West (Oregon) us-west-2 


Africa (Cape Town) af-south-1 


Asia Pacific (Hong Kong) ap-east-1 
Asia Pacific (Mumbai) ap-south-1 


Asia Pacific (Seoul) ap-northeast-2 


Asia Pacific (Singapore) ap-southeast-1 


Asia Pacific (Sydney) ap-southeast-2 


Asia Pacific (Tokyo) ap-northeast-1 


Canada (Central) ca-central-1 


Europe (Frankfurt) eu-central-1 
Europe (Ireland) eu-west-1 
Europe (London) eu-west-2 
Europe (Paris) eu-west-3 


Europe (Stockholm) eu-north-1 


Middle East (Bahrain) me-south-1 


South America (Sao Paulo) sa-east-1 
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How to choose an AWS Region! 


If you need to launch a new application, | | 
where should you do it? “ Compliance with data governance and legal 


requirements: data never leaves a region without 
your explicit permission 


V 2 “ Proximity to customers: reduced latency 


* Available services within a Region: new services 
and new features aren't available in every Region 


a 
^T 


* Pricing: pricing varies region to region and is 
transparent in the service pricing page 


O Regions 
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AWS Availability Zones 


* Each region has many availability zones 
(usually 3, min Is 3, max Is 6). Example: 
* ap-southeast-2a 
* ap-southeast-2b ap-southeast-2a 
* ap-southeast-2c 


* Each availability zone (AZ) is one or more 


discrete data centers with redundant power 
networking, and connectivity 


AWS Region 
Sydney: ap-southeast-2 


* They're separate from each other so that 
they're isolated from disasters 


* |heyre connected with high bandwidth, 
ultra-low latency networking 
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AWS Points of Presence (Edge Locations) 


e Amazon has 400+ Points of Presence (400+ Edge Locations & |Q+ 
Regional Caches) in 90+ cities across 40+ countries 


* Content is delivered to end users with lower latency 


Ze SECH 
(Or Ha Paez, 
«o 99 eo o e 
“eo o EJ 4 Gor, EO (X9) 
2 e, Ch 
e. e 
i : Lei 
e y A O7 e h 
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https://aws.amazon.com/cloudfront/features/ 
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Tour of the AWS Console 


e AWS has Global Services: 
* Identity and Access Management (IAM) 
* Route 53 (DNS service) 
e CloudFront (Content Delivery Network) 
* WAF (Web Application Firewall) 


e Most AWS services are Region-scoped: 
e Amazon EC (Infrastructure as a Service) 
* Elastic Beanstalk (Platform as a Service) 
* Lambda (Function as a Service) 
* Rekognition (Software as a Service) 


ud Region Table: https://aws.amazon.com/about-aws/global-infrastructure/regional-product-service 
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IAM Section 
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JAM: Users & Groups 


e JAM = Identity and Access Management, Global service 


* Root account created by default, shouldn't be used or shared 
* Users are people within your organization, and can be grouped 
* Groups only contain users, not other groups 


* Users dont have to belong to a group, and user can belong to multiple groups 


Group: Developers Group: Operations 
Group 
A AA S A |A 
Charles 


Edward Fred 


Alice Bob 
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IAM: Permissions 


"Version": "2012-10-17", p 
* Users or Groups can be ib ab Ge 


assigned JSON documents Loo D c NN 
uu Action": "ec2:Describe*", 
called policies "Resource": "*" 
* These policies define the TEE 
ermissions of the users "Action": "elasticloadbalancing:Describe*", 
P "eSOHPCe" s 7 
e In AWS you apply the least 
privilege principle: don't give ee E 
icc] "cloudwatch:ListMetrics", 
More permissions than a user "cloudwatch:GetMetricStatistics", 
needs "cloudwatch:Describe*" 


If 


"Resource": "*" 
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IAM Policies inheritance 


Audit Team 


Developers Operations 


S 

wi wi 

wi inline 
X 


Fred 
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IAM Policies Structure 


e Consists of 


Statement: one or more individual statements (required) 


e Statements consists of 


Sid: an identifier for the statement (optional: 


Effect: whether the statement allows or denies access 


(Allow, Deny) 
Principal: account/user/role to which this policy applied to 


Resource: list of resources to which the actions applied to 


Condition: conditions for when this policy is in effect 
(optional) 


"Version": "2012-10-17", 


Edo: 


"S3-Account-Permissions", 


"Statement": [ 


{ 


"Effect": "Allow", 
"Principal": { 
"AWS": ["arn:aws:iam: :123456789012: root" | 


}, 

"Action": [ 
"s3:GetObject", 
"s3:PutObject" 


"Resource": ["arn:aws:s3:::mybucket/*" ] 
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JAM — Password Policy 


“ Strong passwords = higher security for your account 


* In AWS, you can setup a password policy 
e Set a minimum password length 
* Require specific character types: 
* including uppercase letters 
“ lowercase letters 
* numbers 


* non-alphanumeric characters 
Allow all IAM users to change their own passwords 
* Require users to change their password after some time (password expiration) 
Prevent password re-use 


e 
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Multi Factor Authentication - MFA 


* Users have access to your account and can possibly change 
configurations or delete resources in your AWS account 


“ You want to protect your Root Accounts and IAM users 
* MFA = password you know + security device you own 


A Password ` E Es Successful login 


Alice 


e Main benefit of MFA: 


if a password is stolen or hacked, the account is not compromise 


© Stephane Maarek 
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MFA devices options in AWS 


Virtual MFA device Universal 2nd Factor (U2F) Security Key 
571 208 “amazon 
222 104 mikey eins 
= . 204009 
E 
364 218 


Google Authenticator Authy YubiKey by Yubico (äm party) 


(phone only) (multi-device) 
Support for multiple tokens on a single device. Support Tor WEE Akang am Users 
using a single security key 


© Stephane Maarek 
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MFA devices options in AVVS 


Hardware Key Fob MFA Device Hardware Key Fob MFA Device for 
AWS GovCloud (US) 


SurePass CJ 
www, surepassid.com J 
Provided by Gemalto (3' party) Provided by SurePassID (md party) 
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How can users access AWS ! 


y 


* To access AWS, you have three options: 
e AWS Management Console (protected by password + MFA) 
e AWS Command Line Interface (CLI): protected by access keys 
e AWS Software Developer Kit (SDK) - for code: protected by access keys 


* Access Keys are generated through the AWS Console 
* Users manage their own access keys 


* Access Keys are secret, just like a password. Don't share them 


* Access Key ID —= username 


e Secret Access Key ~= password 


(9 Stephane Maarek 
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Example (Fake) Access Keys 


Access keys 


Use access keys to make secure REST or HTTP Query protocol requests to AWS service APIs. For your protection, you should never share your secret keys with 
anyone. As a best practice, we recommend frequent key rotation. Learn more 


Create access key 


Access key ID Created Last used Status 


AKIASK4E37PV4TU3RD6C 2020-05-25 15:13 UTC+0100 N/A Active | Make inactive 


e Access key ID: AKIASK4E3 7PV4983d6C 
e Secret Access Key: AZPN3zo)WozWCndljhBOUnh8239a! bzbzOSstqqkZq 


* Remember: don't share your access keys 
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Whats the AWS CLI? 


* A tool that enables you to interact with AWS services using commands in 
your command-line shell 


e Direct access to the public APIs of AWS services 
* You can develop scripts to manage your resources 


* [ts open-source https//egithub.com/aws/aws-cli 
e Alternative to using AWS Management Console 


s3 cp myfile.txt s3://ccp-mybucket/myfile.txt 
upload: ./myfile.txt to s3://ccp-mybucket/myfile.txt 
s3 ls s3://ccp-mybucket 


2021-05-14 03:22:52 H myfile.txt 
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Whats the AWS SDK? 


e AWS Software Development Kit (AWS SDK) 
* Language-specific APIs (set of libraries) 


E 


“ Enables you to access and manage AWS services 
programmatically 


e Embedded within your application 


e Supports 
e SDKs (JavaScript, Python, PHP .NET, Ruby, Java, Go, Nodes, 
C++) 


e Mobile SDKs (Android, iOS, ...) Your Application 
* lol Device SDKs (Embedded C, Arduino, ...) 


e Example: AWS CLI is built on AWS SDK for Python 
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IAM Roles for Services 


“ Some AWS service will need to LA wm Role 
perform actions on your behalf | 

e [o do so, we will assign EC2 Instance 
permissions to AWS services (virtual server) 


with IAM Roles 


e Common roles: 
e EC? Instance Roles 
* Lambda Function Roles 
* Roles for CloudFormation 


v 
Access AWS 
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IAM Security Tools 


e JAM Credentials Report (account-level) 


e a report that lists all your account's users and the status of their various 
credentials 


e IAM Access Advisor (user-level) 


* Access advisor shows the service permissions granted to a user and when those 
services were last accessed. 


* You can use this information to revise your policies. 
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IAM Guidelines & Best Practices 


* Dont use the root account except for AWS account setup 

* One physical user = One AWS user 

“ Assign users to groups and assign permissions to groups 

* Create a strong password policy 

* Use and enforce the use of Multi Factor Authentication (MFA) 
* Create and use Roles for giving permissions to AWS services 


* Use Access Keys for Programmatic Access (CLI / SDK) 


* Audit permissions of your account using IAM Credentials Report & IAM 
Access Advisor 
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JAM Section — Summary 


“ Users: mapped to a physical user has a password for AWS Console 

“ Groups: contains users only 

* Policies: JSON document that outlines permissions for users or groups 
* Roles: for EC2 instances or AWS services 

e Security: MFA + Password Policy 

e AWS CLI: manage your AWS services using the command-line 

e AWS SDK manage your AWS services using a programming language 
“ Access Keys: access AWS using the CLI or SDK 

* Audit: [AM Credential Reports & IAM Access Advisor 
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-C 2 Basics 
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Amazon EC2 


e EC? is one of the most popular of AWS’ offering 


e EC? = Elastic Compute Cloud = Infrastructure as a Service 


e It mainly consists in the capability of : 
* Renting virtual machines (EC2) 
“ Storing data on virtual drives (EBS) 
* Distributing load across machines (ELB) 
e Scaling the services using an auto-scaling group (ASG) 


e Knowing EC is fundamental to understand how the Cloud works 
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EC? sizing & configuration options 


* Operating System (OS): Linux, Windows or Mac OS 
“ How much compute power & cores (CPU) 
e How much random-access memory (RAM) 


* How much storage space: 
e Network-attached (EBS & EFS) 
* hardware (EC2 Instance Store) 


* Network card: speed of the card, Public IP address 
* Firewall rules: security group 
* Bootstrap script (configure at first launch): EC2 User Data 
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EC? User Data 


* |t is possible to bootstrap our instances using an EC? User data script. 
“ bootstrapping means launching commands when a machine starts 


* That script is only run once at the instance first start 


* EC2 user data is used to automate boot tasks such as: 
e Installing updates 
e Installing software 
* Downloading common files from the internet 
e Anything you can think of 


e The EC? User Data Script runs with the root user 
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Hands-On: 
Launching an EC2 Instance running Linux 


* Well be launching our first virtual server using the AWS Console 
* Well get a first high-level approach to the various parameters 

* Well see that our web server is launched using EC2 user data 

* Well learn how to start / stop / terminate our instance. 
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EC? Instance Types - Overview 


* You can use different types of EC2 instances that are optimised for 
different use cases (https://aws.amazon.com/ec2/instance-types/) 
* AWS has the following naming convention: 


General Purpose 


Compute Optimized 
m5 2xlarge Memory Optimized 
Accelerated Computing 
e m: instance class Storage Optimized 
* 5: generation (AWS improves them over time) Instance Features 


Measuring Instance 
Performance 


e 2xlarge: size within the instance class 


© Stephane Maarek 
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EC? Instance [ypes — General Purpose 


* Great for a diversity of workloads such as web servers or code repositories 


* Balance between: 
* Compute 
e Memory 
* Networking 


e In the course, we will be using the t2.micro which is a General Purpose EC? 
instance 


General Purpose 


General purpose instances provide a balance of compute, memory and networking resources, and can be used for a variety of diverse 
workloads. These instances are ideal for applications that use these resources in equal proportions such as web servers and code 
repositories. 


Mac T4g T3 T3a T2 M6g M5 M5a M5n M5zn M4 Al 


* this list will evolve over time, please check the AWS website for the latest information 
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EC? Instance lypes — Compute Optimized 


“ Great for compute-intensive tasks that require high performance 
DrOCESSOFS. 
“ Batch processing workloads 
* Media transcoding 
e High performance web servers 
* High performance computing (HPC) 
e Scientific modeling & machine learning 
* [Dedicated gaming servers 


Compute Optimized 


Compute Optimized instances are ideal for compute bound applications that benefit from high performance processors. Instances 
belonging to this family are well suited for batch processing workloads, media transcoding, high performance web servers, high 
performance computing (HPC), scientific modeling, dedicated gaming servers and ad server engines, machine learning inference and 
other compute intensive applications. 


C6g C6gn CS Cha C5n C4 


* this list will evolve over time, please check the AWS website for the latest information 


u105'sninuunoe1ep'MMWM Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


EC2 Instance Iypes — Memory Optimized 


“ Fast performance for workloads that process large data sets in memory 


“ Use cases: 
* High performance, relational/non-relational databases 
* Distributed web scale cache stores 
e In-memory databases optimized for BI (business intelligence) 
* Applications performing real-time processing of big unstructured data 


Memory Optimized 


Memory optimized instances are designed to deliver fast performance for workloads that process large data sets in memory. 


R6g R5 R5a R5b R5n R4 Kle X1 High Memory zid 


* this list will evolve over time, please check the AWS website for the latest information 
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-C2 Instance [ypes — Storage Optimized 


* Great for storage-intensive tasks that require high, sequential read and write 
access to large data sets on local storage 


* Use cases: 
* High frequency online transaction processing (OLTP) systems 
e Relational & NoSQL databases 
e Cache for in-memory databases (for example, Redis) 
* Data warehousing applications 
* Distributed file systems 


Storage Optimized 


Storage optimized instances are designed for workloads that require high, sequential read and write access to very large data sets on 
local storage. They are optimized to deliver tens of thousands of low-latency, random 1/0 operations per second (IOPS) to applications. 


13 I3en D2 D3 D3en H1 


* this list will evolve over time, please check the AWS website for the latest information 
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EC2 Instance lypes: example 
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Instance 


t2.micro 
t2.xlarge 
c5d.4xlarge 
r5.16xlarge 


m5.8xlarge 


Storage Network EBS Bandwidth 
Performance (Mbps) 


vCPU Mem (GiB) 
EBS-Only Low to Moderate 
EBS-Only Moderate 
1 x 400 NVMe SSD Up to 10 Gbps 4,750 


EBS Only 20 Gbps 13,600 


EBS Only 10 Gbps 6,800 


t2.micro is part of the AWS free tier (up to 750 hours per month) 


Great website: https://instances.vantage.sh 
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Introduction to Security Groups 


e Security Groups are the fundamental of network security in AWS 
* They control how traffic is allowed into or out of our EC2 Instances. 


| } EC2 Instance 


e Security groups only contain allow rules 


Inbound traffic 


WWW Outbound traffic 


FE o 
£ 2 
5 © 
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D 
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e Security groups rules can reference by IP or by security group 


u105'sn(nuun9e1ep'MMWM Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


Security Groups 
Deeper Dive 


e Security groups are acting as a "firewall" on EC2 instances 


* They regulate: 
* Access to Ports 
* Authorised IP ranges — IPv4 and IPv6 
* Control of inbound network (from other to the instance) 
* Control of outbound network (from the instance to other) 
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Type (i) Protocol (i) Port Range (i) Source (i) Description (i) 
HTTP TCP 80 0.0.0.0/0 test http page 
SSH TCP 22 122.149.196.85/32 

Custom TCP Rule TCP 4567 0.0.0.0/0 java app 
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Security Groups 
Diagram 


Your Computer - IP XX.XX.XX.XX 
Security Group 1 Port 22 (authorised port 22) 
Inbound 


Filter IP / Port with Rules 


Port 22 Other computer 
(not authorised port 22) 


EC2 Instance 
IP XX.XX.XX.XX 


Security Group 1 
Outbound Anv Port 
Filter IP / Port with Rules 
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WWW 


Any IP — Any Port 
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Security Groups 
Good to know 


* Can be attached to multiple instances 

* Locked down to a region / VPC combination 

e Does live "outside" the EC? — if traffic is blocked the EC2 instance wont see it 
* [ts good to maintain one separate security group for SSH access 

* If your application is not accessible (time out), then it's a security group Issue 


e If your application gives a "connection refused” error then it's an application 
error or it's not launched 


s All inbound traffic is blocked by default 
* All outbound traffic is authorised by default 
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Referencing other security groups 
Diagram 


Port 123 EC2 Instance 
IP XX.XX.XX.XX 


EC2 Instance 


Port 123 EC2 Instance 


IP XX.XX.AA.AA IP XX.XX.XX.XX 


Security 


Group 3 EC2 Instance 


IP XX.XX.XX.XX 


(attached) 
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Classic Ports to know 


e 22 = SSH (Secure Shell) - log into a Linux instance 

e 2| = FTP (File Transfer Protocol) — upload files into a file share 

e 22 = SFIP (Secure File Transfer Protocol) — upload files using SSH 

* 80 = HTTP — access unsecured websites 

e 443 = HTTPS — access secured websites 

e 3389 = RDP (Remote Desktop Protocol) — log into a Windows instance 
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SSH Summary Table 


EC2 Instance 
Mac V4 
Linux V4 


Windows < 10 


Windows >= 10 


KW 
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Which Lectures to watch 


e Mac / Linux: 
e SSH on Mac/Linux lecture 


e Windows: 
* Putty Lecture 
e If Windows lO: SSH on Windows 10 lecture 


e All: 


e EC? Instance Connect lecture 


u105'sn(nuunoe1ep'MMWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


SSH troubleshooting 


“ Students have the most problems with SSH 


e |f things dont work... 
|. Re-watch the lecture. You may have missed something 
2. Read the troubleshooting guide 
3. Try EC2 Instance Connect 


“ If one method works (SSH, Putty or EC2 Instance Connect) you're good 


“ If no method works, thats okay, the course won't use SSH much 
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How to SSH into your EC2 Instance 
Linux / Mac OS X 


e Well learn how to SSH into your EC2 instance using Linux / Mac 


e SSH Is one of the most important function. It allows you to control a 
remote machine, all using the command line. 


WWW EC2 Instance 
Linux 
Public IP 


e We will see how we can configure OpenSSH -/.ssh/config to facilitate 
the 55H into our EC2 instances 
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How to SSH into your EC2 Instance 
Windows 


* Well learn how to SSH into your EC2 instance using Windows 


e SSH is one of the most important function. It allows you to control a 
remote machine, all using the command line. 


- 


* We will configure all the required parameters necessary for doing SSH 
on Windows using the free tool Putty, 


WWW EC2 Instance 


Linux 
Public IP 
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EC? Instance Connect 


“ Connect to your EC2 instance within your browser 
“ No need to use your key file that was downloaded 


* The "magic is that a temporary key is uploaded onto EC2 by AWS 


* Works only out-of-the-box with Amazon Linux 2 


* Need to make sure the port 22 is still opened! 
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EC2 Instances Purchasing Options 


* On-Demand Instances — short workload, predictable pricing, pay by second 


* Reserved (| & 3 years) 
* Reserved Instances — long workloads 
* Convertible Reserved Instances — long workloads with flexible instances 


“ Savings Plans (| & 3 years) -commitment to an amount of usage, long workload 
“ Spot Instances — short workloads, cheap, can lose instances (less reliable) 

* Dedicated Hosts — book an entire physical server, control instance placement 

* Dedicated Instances — no other customers will share your hardware 


* Capacity Reservations — reserve capacity in a specific AZ for any duration 
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EC2 On Demand 


“ Pay for what you use: 
* Linux or Windows - billing per second, after the first minute 
* All other operating systems - billing per hour 


* Has the highest cost but no upfront payment 


* No long-term commitment 


* Recommended for short-term and un-interrupted workloads, where 
you can't predict how the application will behave 
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EC? Reserved Instances 


e Up to /2% discount compared to On-demand 

“ You reserve a specific instance attributes (Instance Type, Region, Tenancy, OS) 
e Reservation Period — | year (+discount) or 3 years (+++discount) 

e Payment Options — No Upfront (+), Partial Upfront (++), All Upfront (+++) 
* Reserved Instance's Scope — Regional or Zonal (reserve capacity in an AZ) 

* Recommended for steady-state usage applications (think database) 

e You can buy and sell in the Reserved Instance Marketplace 


* Convertible Reserved Instance 
* Can change the EC2 instance type, instance family, OS, scope and tenancy 
* Up to 6676 discount 


Note: the % discounts are different from the video as AWS 
change them over time — the exact numbers are not needed 


for the exam. This is just for illustrative purposes © : 
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EC2 Savings Plans 


“ Get a discount based on long-term usage (up to /2% - same as Rls) 
e Commit to a certain type of usage ($10/hour for | or 3 years) 


* Usage beyond EC2 Savings Plans is billed at the On-Demand price 


e Locked to a specific instance family & AWS region (e.g., M5 in us-east- |) 


* Flexible across: 
e Instance Size (e.g., m5.xlarge, m5.2xlarge) 
* OS (eg, Linux, Windows) 
* Tenancy (Host, Dedicated, Default) 
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EC2 Spot Instances toh 


* Can get a discount of up to 90% compared to On-demand 


* Instances that you can "lose" at any point of time if your max price Is less than the 
current spot price 


e The MOST cost-efficient instances in AWS 


* Useful for workloads that are resilient to failure 
* Batch jobs 

Data analysis 

Image processing 

Any distributed workloads 

Workloads with a flexible start and end time 


* Not suitable for critical jobs or databases 
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EC? Dedicated Hosts 


* A physical server with EC2 instance capacity fully dedicated to your use 


e Allows you address compliance requirements and use your existing server- 
bound software licenses (per-socket, per-core, pe—VM software licenses) 


* Purchasing Options: 
* On-demand - pay per second for active Dedicated Host 
* Reserved - | or 3 years (No Upfront, Partial Upfront, All Upfront) 


* The most expensive option 


* Useful for software that have complicated licensing model (BYOL — Bring Your 
Own License) 


* Or for companies that have strong regulatory or compliance needs 
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EC? Dedicated Instances 


e Instances run on hardware that's 
dedicated to you 


e May share hardware with other 
instances In same account 


* No control over instance placement 
(can move hardware after Stop / Start) 
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Hosts 


X 


Characteristic Dedicated Dedicated 
Instances 

Enables the use of dedicated physical servers K 

Per instance billing (subject to a $2 per region fee) X 

Per host billing 

Visibility of sockets, cores, host ID 

Affinity between a host and instance 

Targeted instance placement 

Automatic instance placement X 


Add capacity using an allocation request 


x 
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EC2 Capacity Reservations 


“ Reserve On-Demand instances capacity in a specific AZ for any duration 
* You always have access to EC2 capacity when you need it 
“ No time commitment (create/cancel anytime), no billing discounts 


* Combine with Regional Reserved Instances and Savings Plans to benefit 
from billing discounts 


* Youre charged at On-Demand rate whether you run instances or not 


“ Suitable for short-term, uninterrupted workloads that needs to be in a 
specific AZ 
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Which purchasing option is right for me! 


“ On demand: coming and staying in resort 
whenever we like, we pay the full price 


* Reserved: like planning ahead and if we plan to 
stay for a long time, we may get a good discount. 


“ Savings Plans: pay a certain amount per hour for 
certain period and stay in any room type (e.g. 
King, Suite, Sea View, ... 


“ Spot instances: the hotel allows people to bid for 
the empty rooms and the highest bidder keeps the 
rooms. You can get kicked out at any time 


* Dedicated Hosts: VVe book an entire building of 
the resort 


* Capacity Reservations: you book a room for a 
period with full price even you dont stay in it 


(9 Stephane Maarek 
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Price Comparison 
Example — m4.large — us-east- | 


Price Type Price (per hour) 


On-Demand $0.10 

Spot Instance (Spot Price) $0.038 - $0.039 (up to 61% off) 

Reserved Instance (1 year) $0.062 (No Upfront) - $0.058 (All Upfront) 
Reserved Instance (3 years) $0.043 (No Upfront) - $0.037 (All Upfront) 
EC2 Savings Plan (1 year) $0.062 (No Upfront) - $0.058 (All Upfront) 
Reserved Convertible Instance (1 year) $0.071 (No Upfront) - $0.066 (All Upfront) 
Dedicated Host On-Demand Price 

Dedicated Host Reservation Up to 70% off 

Capacity Reservations On-Demand Price 
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EC2 Spot Instance Requests (1) 


* Can get a discount of up to 9076 compared to On-demand 


* [Define max spot price and get the instance while current spot price < max 
* [he hourly spot price varies based on offer and capacity 


e |f the current spot price > your max price you can choose to stop or terminate your 
instance with a 2 minutes grace period. 


e Other strategy: Spot Block 
* "block" spot instance during a specified time frame (1 to 6 hours) without interruptions 
* |n rare situations, the instance may be reclaimed 


* Used for batch jobs, data analysis, or workloads that are resilient to failures. 
* Not great for critical jobs or databases 
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EC2 Spot Instances Pricing 


Spot Instance Pricing History 


Product: ( Linux/UNIX a) Instance type: | m4.large $ Date range: 


Date 


1/30/2020 


$1.00 | 
1:34:48 PM UTC+0000 


On-Demand price On-Demand price 
$0.1000 


Availability Zone Price 


E| us-east-1a $0.0326 

- |us-east-1b $0.0326 

M us-east-1c $0.0440 

Bi us-east-1d $0.0327 

. | | i : - | l | | | H us-east-1e $0.0332 

Use r-defined max price ` Ee E - | | eege lll us-east-1f $0.0348 
Ben ee mmm 


$0.00 
Nov 8 Nov 16 Nov 23 Dec 1 Dec 8 Dec 16 Dec 24 Jan 1 Jan 8 Jan 16 Jan 24 Feb 1 


console.aws.amazon.com/ec2sp/v1/spot/home?regionzus-east-1H 


https: 
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How to terminate Spot Instances! 


Start Stop Create 
(persistent) (persistent) request 
Interrupt 


(persistent) . 
Frae) 
persistent 


persistent one-time 


disabled 


persistent 


Spot reguest 


Maximum price 
Desired number of instances 
Launch specification 

Request type: one-time | persistent 
Valid from, Valid until 


Create 
request 


| Launch | CR 
instances 


Interrupt 
(one-time) 


Request 
failed 


You can only cancel Spot Instance requests that are open, active, or disabled. 
Cancelling a Spot Request does not terminate instances 
You must first cancel a Spot Request, and then terminate the associated Spot Instances 


https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-requests.html 
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Spot Fleets 


“ Spot Fleets = set of Spot Instances + (optional) On-Demand Instances 


* The Spot Fleet will try to meet the target capacity with price constraints 
* Define possible launch pools: instance type (m5.large), OS, Availability Zone 
* Can have multiple launch pools, so that the fleet can choose 
e Spot Fleet stops launching instances when reaching capacity or max cost 


e Strategies to allocate Spot Instances: 
* lowestPrice: from the pool with the lowest price (cost optimization, short workload) 
* diversified: distributed across all pools (great for availability, long workloads) 
* capacityOptimized: pool with the optimal capacity for the number of instances 


* priceCapacityOptimized (recommended): pools with highest capacity available, then select 
the pool with the lowest price (best choice for most workloads) 


e Spot Fleets allow us to automatically request Spot Instances with the lowest price 


(9 Stephane Maarek 
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Private vs Public IP (IPv4) 


e Networking has two sorts of IPs. IPv4 and IPv6: 
e |Pv4:1.160.10.240 
* |Pv6: 3ffe:1900:4545:3:200:f8ff:fe21:67cf 


e In this course, we will only be using IPv4. 
e IPv4 is still the most common format used online. 
e IPv6 is newer and solves problems for the Internet of Things (loT). 


e IPv4 allows for 3./ billion different addresses in the public space 
e IPV4 [0-255].[0-255].[0-255].[0-255]. 
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Private vs Public IP (IPv4) 
Example 


Server (public): 
211.139.37.43 


Web Server (public): 
79.216.59.75 


149.140.72.10 «p) 253.144.139.205 D 


Internet Gateway (public): Pu Ew Internet Gateway ( SC 


Company B 
Private Network 
192.168.0.1/22 


Company A 
Private Network 
192.168.0.1/22 
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Private vs Public IP (IPv4) 


Fundamental Differences 


e Public IP: 
e Public IP means the machine can be identified on the internet (WAMA) 
“ Must be unique across the whole web (not two machines can have the same public IP). 
* Can be geo-located easily 


* Private IP: 
* Private IP means the machine can only be identified on a private network only 
* The IP must be unique across the private network 
* BUT two different private networks (two companies) can have the same IPs. 
* Machines connect to WWW using a NAT + internet gateway (a proxy) 
* Only a specified range of IPs can be used as private IP 
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Elastic IPs 


* When you stop and then start an EC2 instance, it can change its public 
IP 


* |f you need to have a fixed public IP for your instance, you need an 
Elastic IP 


* An Elastic IP is a public IPv4 IP you own as long as you dont delete it 


e You can attach it to one instance at a time 
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Elastic IP 


* With an Elastic IP address, you can mask the failure of an instance or software 
by rapidly remapping the address to another instance in your account. 


* You can only have 5 Elastic IP in your account (you can ask AWS to increase 
that). 


* Overall, try to avoid using Elastic IP: 
* They often reflect poor architectural decisions 
* Instead, use a random public IP and register a DNS name to it 
e Or as well see later use a Load Balancer and dont use a public IP 
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Private vs Public IP (IPv4) 
In AWS EC2 — Hands On 


* By default, your EC2 machine comes with: 
* A private IP for the internal AWS Network 
e A public IP for the WWW. 


* When we are doing SSH into our EC2 machines: 
* We cant use a private IF because we are not in the same network 
* We can only use the public IP. 


e |f your machine is stopped and then started, 
the public IP can change 
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Placement Groups 


“ Sometimes you want control over the EC2 Instance placement strategy 
* That strategy can be defined using placement groups 


“ When you create a placement group, you specify one of the following 
strategies for the group: 
e Cluster—clusters instances into a low-latency group in a single Availability Zone 
e Spread—spreads instances across underlying hardware (max / instances per 
group per AZ) 
e Partition—spreads instances across many different partitions (which rely on 


different sets of racks) within an AZ. Scales to 100s of EC2 instances per group 
(Hadoop, Cassandra, Kafka) 
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Placement Groups 
Cluster 


Placement group 
Same Rack Cluster 


Same AZ Low latency 
10 Gbps network 


“ Pros: Great network (10 Gbps bandwidth between instances with Enhanced 
Networking enabled - recommended) 


e Cons: If the rack fails, all instances fails at the same time 


* Use case: 
“ Big Data job that needs to complete fast 
* Application that needs extremely low latency and high network throughput 
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Placement Groups 
Spread 


Us-east-1a Us-east-1b Us-east-1c * Pros ln 
e Can span across Availability 
Zones 
* Reduced risk is simultaneous 
EC2 EC2 EC2 failure 


* EC2 Instances are on different 
physical hardware 


* Cons: 
* | imited to / instances per AZ 
per placement group 
* Use case: 


EC2 EC2 EC2 e Application that needs to 
maximize high availability 


e Critical Applications where 
each instance must be isolated 
from failure from each other 
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Hardware 1 Hardware 3 Hardware 5 


Hardware 2 Hardware 4 Hardware 6 
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Placements Groups 
Partition 


us-east-1a us-east-1b 


EC2 EC2 EC2 


Partition 1 Partition 2 Partition 3 


osen —————À | 
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* Up to 7 partitions per AZ 

* Can span across multiple AZs in the 
same region 

e Up to 100s of EC? instances 


* The instances in a partition do not 
share racks with the instances in the 
other partitions 


* A partition failure can affect man) 
EC2 but wont affect other partitions 


e EC? instances get access to the 
partition information as metadata 


e Use cases: HDFS, HBase, Cassandra, 
Kafka 
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Elastic Network Interfaces (ENI) 


* Logical component in a VPC that represents a 
virtual network card 


Availability Zone 


* The ENI can have the following attributes: ! EthO — primary EN 
* Primary private IPv4, one or more secondary IPv4 | J EC2 192.168.0.31 
* One Elastic IP (IPv4) per private IPv4 | Eth1 — secondary ENI | 


* One Public IPv4 | 7 192.168.0.42 
* One or more security groups | : 
e A MAC address Luc e e ed tes WW 


“ You can create ENI independently and attach | EthO — primary ENI ! | 
them on the fly (move them) on EC2 instances | E 
| ir: 


forfailover pm WEM 
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e Bound to a specific availability zone (AZ) — | ^v 
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EC? Hibernate 


“ We know we can stop, terminate instances 
e Stop — the data on disk (EBS) is kept intact in the next start 
* Terminate — any EBS volumes (root) also set-up to be destroyed is lost 


* On start, the following happens: 
* First start: the OS boots & the EC2 User Data script is run 
* Following starts: the OS boots up 
* Then your application starts, caches get warmed up, and that can take time! 
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EC? Hibern ate EC2 Instance 


Running 
, | , Root EBS Volu 
e Introducing EC2 Hibernate: eg, ads n 


e The in-memory (RAM) state is preserved eme 


* [he instance boot is much faster! ee 
(the OS Is not stopped / restarted) 
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* Under the hood: the RAM state is written TEE i 

to a file in the root EBS volume | | 

* The root EBS volume must be encrypted Hibernation ! giel 

“ Use cases: ! Stopped | 
* | ong-running processing i 

* Saving the RAM state = ---------- 
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e Services that take time to initialize 
Running na 
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EC? Hibernate — Good to know 


e Supported Instance Families — C3, C4, C5, 13, M3, M4, R3, R4, 12,13, ... 

* Instance RAM Size — must be less than 150 GB. 

* Instance Size — not supported for bare metal instances. 

e AMI — Amazon Linux 2, Linux AMI, Ubuntu, RHEL, CentOS & Windows... 
* Root Volume — must be EBS, encrypted, not instance store, and large 

* Available for On-Demand, Reserved and Spot Instances 


* An instance can NOT be hibernated more than 60 days 


© Stephane Maarek 
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EC? Instance Storage Section 
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What's an EBS Volume? 


* An EBS (Elastic Block Store) Volume is a network drive you can attach 
to your instances while they run 


e |t allows your instances to persist data, even after their termination 
* They can only be mounted to one instance at a time (at the CCP level) 
* They are bound to a specific availability zone 


* Analogy: Think of them as a "network USB stick” 


* Free tier: 30 GB of free EBS storage of type General Purpose (SSD) or 
Magnetic per month 
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EBS Volume 


* Its a network drive (i.e. not a physical drive) 


* |t uses the network to communicate the instance, which means there might be a bit of 
latency 
e |t can be detached from an EC instance and attached to another one quickly 


e Its locked to an Availability Zone (AZ) 
e An EBS Volume in us-east- la cannot be attached to us-east- | b 
* To move a volume across, you first need to snapshot it 


* Have a provisioned capacity (size in GBs, and IOPS) 
* You get billed for all the provisioned capacity 
* You can increase the capacity of the drive over time 
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EBS Volume - Example 


US-EAST-1A US-EAST-1B 


" 


ZX ZX 
EBS EBS EBS EBS 


(10 GB) (100 GB) (50 GB) (10 GB) 
unattached 
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EBS — Delete on Termination attribute 


Throughput Delete on 


Volume Type (i) Device (i) Snapshot (i) Size (GiB) (i) Volume Type (i) IOPS (i) Elicryption (i) 


(MB/s) (i) Termination (i) 
Root /dev/xvda snap-09f18f682fd23a1b1 [General Purpose SSD (gp2) v| 100/3000 N/A Nit Encrypted + 
[EBS v] /dev/sdb v [General Purpose SSD (gp2) v] 100/3000 N/A O Npt Encrypted + 


Add New Volume 


* Controls the EBS behaviour when an EC2 instance terminates 
* By default, the root EBS volume is deleted (attribute enabled) 
* By default, any other attached EBS volume is not deleted (attribute disabled) 


* This can be controlled by the AWS console / AWS CLI 


“ Use case: preserve root volume when instance Is terminated 
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EBS Snapshots 


“ Make a backup (snapshot) of your EBS volume at a point in time 
“ Not necessary to detach volume to do snapshot, but recommended 
* Can copy snapshots across AZ or Region 


US-EAST-1B 


T 
= 


US-EAST-1A 


Jan 
R 


EBS Snapshot 


c— 
ts restore 


snapshot 


EBS 
(50 GB) 


EBS 
(50 GB) 
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EBS Snapshots Features 


EBS Snapshot 


EBS Snapshot 
H Archive 


“ EBS Snapshot Archive 


e Move a Snapshot to an "archive tier" that is —S M ` Ech 
75% cheaper 
* Takes within 24 to /2 hours for restoring the 
archive 
* Recycle Bin for EBS Snapshots nabi an Recycle Bin 


C (NY 


Me 
delete = OC 
Wei 


e Setup rules to retain deleted snapshots so you 
can recover them after an accidental deletion 


e Specify retention (from | day to | year) 


CA) 


* Fast Snapshot Restore (FSR) 


e Force full initialization of snapshot to have no 
latency on the first use ($$) 


© Stephane Maarek 


o5'snjnuin2e3ep"MMM »[oJee|A BUeYdaIS © NOILNAINLSIG 803 LON 


AMI Overview 


e AMI = Amazon Machine Image 


ER 


* AMI are a customization of an EC2 instance 
* You add your own software, configuration, operating system, monitoring... 
* Faster boot / configuration time because all your software is pre-packaged 


* AMI are built for a specific region (and can be copied across regions) 
* You can launch EC2 instances from: 
* A Public AMI: AWS provided 


* Your own AMI: you make and maintain them yourself 
* An AWS Marketplace AMI: an AMI someone else made (and potentially sells) 
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AMI Process (from an EC2 instance) 


e Start an EC2 instance and customize it 
“ Stop the instance (for data integrity) 
* Build an AMI — this will also create EBS snapshots 


e Launch instances from other AMIS 


US-EAST-1A 


Custom AMI 


Launch 
Create AMI from AMI 


US-EAST-1B 


BW 
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EC? Instance Store | à 


* EBS volumes are network drives with good but "limited" performance 
e |f you need a high-performance hardware disk, use EC2 Instance Store 


* Better I/O performance 

* EC2 Instance Store lose their storage if they're stopped (ephemeral) 
* Good for buffer / cache / scratch data / temporary content 

* Risk of data loss if hardware fails 

* Backups and Replication are your responsibility 
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Local EC2 Instance Store 


Very high IOPS 


Instance Size 100% Random Read IOPS Write IOPS 


13. large * 100,125 35,000 
i3.xlarge* 206,250 70,000 
i3.2xlarge 412,500 180,000 
13.4xlarge 825,000 360,000 
13.8xlarge 1.65 million 720,000 
13.16xlarge 3.3 million 1.4 million 
13.metal 3.3 million 1.4 million 
13en. Large * 42,500 32,500 
13en.xlarge * 85,000 65,000 
13en.2xlarge * 170,000 130,000 
i3en.3xlarge 250,000 200,000 
i3en.6xlarge 500,000 400,000 
i3en.12xlarge 1 million 800,000 
i3en.24xlarge 2 million 1.6 million 


i3en.metal 2 million 1.6 million 
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EBS Volume lIypes 


e EBS Volumes come in 6 types 
gp2 / gp3 (SSD): General purpose SSD volume that balances price and performance for 
a wide variety of workloads 


iol / 102 (SSD): Highest-performance SSD volume for mission-critical low-latency or 
high-throughput workloads 


st] (HDD): Low cost HDD volume designed for frequently accessed, throughput- 
intensive workloads 


scl (HDD): Lowest cost HDD volume designed for less frequently accessed workloads 


e EBS Volumes are characterized in Size | Throughput | IOPS (I/O Ops Per Sec) 
e When in doubt always consult the AWS documentation — it's good! 
e Only gp2/gp3 and 101/102 can be used as boot volumes 
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EBS Volume Types Use cases 
General Purpose SSD 


* Cost effective storage, low-latency 

e System boot volumes, Virtual desktops, Development and test environments 
e | GIB - I6 TIB 

dE 


* Baseline of 3,000 IOPS and throughput of 125 MiB/s 
e Can increase IOPS up to 16,000 and throughput up to 1000 MiB/s independently 


° gp2: 
e Small gp2 volumes can burst IOPS to 3,000 
e Size of the volume and IOPS are linked, max IOPS is 16,000 
e 3 IOPS per GB, means at 5,334 GB we are at the max IOPS 
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EBS Volume Types Use cases 
Provisioned IOPS (PIOPS) SSD 


* Critical business applications with sustained IOPS performance 
* Or applications that need more than 16,000 IOPS 
* Great for databases workloads (sensitive to storage perf and consistency) 
e iol/io2 (4 GIB - 16 TiB): 
e Max PIOPS: 64,000 for Nitro EC2 instances & 32,000 for other 


* Can increase PIOPS independently from storage size 
e 102 have more durability and more IOPS per GIB (at the same price as iol) 


e 102 Block Express (4 GIB — 64 TiB): 
e Sub-millisecond latency 
e Max PIOPS: 256,000 with an IOPS:GIB ratio of 1,000: | 


“ Supports EBS Multi-attach 
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EBS Volume Types Use cases 
Hard Disk Drives (HDD) 


e Cannot be a boot volume 
e |25 GIB to I6 TIB 


e Throughput Optimized HDD (st!) 
* Big Data, Data Warehouses, Log Processing 
e Max throughput 500 MiB/s — max IOPS 500 


* Cold HDD (scl): 


* For data that Is infrequently accessed 
e Scenarios where lowest cost is important 
e Max throughput 250 MiB/s — max IOPS 250 
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ó 
= 
EBS — Volum Summ 9 
olume lypes Summary : 
z 
pel 
AJ 
General Purpose SSD Provisioned IOPS SSD Throughput Optimized HDD Cold HDD ES 
Mana gp3 gp2 102 Block Express + 102 iol Volumetype st1 Scl S 
Durability 99.8% - 99.8% - 99.999% durability (0.001 % 99.8% - Durability 99.8% - 99.9% durability 99.8% = 99.9% durability (0.1% = = 

99.9% 99.9% annual failure rate) 99.9% (0.1% - 0.2% annual failure 0.2% annual failure rate) 
durability ^ durability durability rate) © 
(0.1% - (0.1% - (0.1% - ; : o 
PE SECH SC Use cases e Big data H Troedput oriented storage for Sr 
annual annual annual e Data warehouses data that is infrequently 5 
failure failure failure | accessed > 
* Log processing D 
rate) rate) rate) e Scenarios where the lowest ^ 
Use cases * Low-latency Workloads that e  Workloads storage cost is important (b 
interactive apps require sub- that require = 
e Development and raa ajaka ana mak IOPS Volume size 125 GiB - 16 TiB 125 GiB - 16 TiB D 
test environments and sustained IOPS performance Ee 
performance or or more than Max IOPS per 500 250 = 
more than 64,000 16,000 IOPS volume (1 MiB d 
IOPS or 1,000 MiB/s + l/O-intensive 1/0) € 

of throughput 
database Max 500 MiB/s 250 MiB/s £ 
workloads 
throughput per = 
Volume 1 GiB - 16 TiB 4 GiB - 64 TiB 4 GiB - 16 TiB volume Q 
size Amazon EBS Not supported Not supported v 
Max IOPS 16,000 256,000 64,000 + Multi-attach = 
per volume c 
Boot volume Not supported Not supported 

(16 KiB 1/0) PP PR = 
= 
D D c 
es.html#solid-state-drives un 
[e] 
3 
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EBS Multi-Attach — 101/102 family 


e Attach the same EBS volume to multiple EC2 ee 
instances In the same AZ | Availability Zone 1 


* Each instance has full read & write permissions 


to the high-performance volume | 
Es ooo 
* Achieve higher application availability in clustered | 
Linux applications (ex: Teradata) | w^ 
* Applications must manage concurrent write | 
operations | L 
e Up to 16 EC2 Instances at a time | | | 


e Must use a file system thats cluster-aware (not 
XFS, EXTA, etc...) 


io2 volume with Multi-Attach 
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EBS Encryption 


“ When you create an encrypted EBS volume, you get the following: 
* Data at rest is encrypted inside the volume 
* All the data in flight moving between the instance and the volume is encrypted 
* All snapshots are encrypted 
* All volumes created from the snapshot 


e Encryption and decryption are handled transparently (you have nothing to 
do) 


e Encryption has a minimal impact on latency 

* EBS Encryption leverages keys from KMS (AES-256) 
* Copying an unencrypted snapshot allows encryption 
e Snapshots of encrypted volumes are encrypted 
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Encryption: encrypt an unencrypted EBS volume 


* Create an EBS snapshot of the volume 
* Encrypt the EBS snapshot ( using copy ) 


* Create new ebs volume from the snapshot (the volume will also be 
encrypted ) 


* Now you can attach the encrypted volume to the original instance 
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Amazon EFS — Elastic File System 


e Managed NFS (network file system) that can be mounted on many EC2 
e EFS works with EC2 instances in multi-AZ 
* Highly available, scalable, expensive (3x gp2), pay per use 


ee ee Ee e rm em rm rm zm rm rm rm rm em rm rn rm rm rm 


us-east-1a | | us-east-1b | us-east-1c 
EC2 Instances | | EC2 Instances | | EC2 Instances 
Tu Oe bé 
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Amazon EFS — Elastic File System 


* Use cases: content management, web serving, data sharing, Wordpress 
e Uses NFSv4.I protocol 

* Uses security group to control access to EFS 

* Compatible with Linux based AMI (not Windows) 

* Encryption at rest using KMS 


e POSIX file system (~Linux) that has a standard file API 
* File system scales automatically, pay-per-use, no capacity planning! 
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EFS — Performance & Storage Classes 


e EFS Scale 
e [1000s of concurrent NFS clients, 1O GB+ /s throughput 
* Grow to Petabyte-scale network file system, automatically 


* Performance Mode (set at EFS creation time) 
* General Purpose (default) — latency-sensitive use cases (web server, CMS, etc...) 
e Max I/O — higher latency, throughput, highly parallel (big data, media processing) 


* Throughput Mode 
e Bursting — | TB = 50MIB/s + burst of up to | OOMIB/s 
e Provisioned — set your throughput regardless of storage size, ex: | GiB/s for | TB storage 
* Elastic — automatically scales throughput up or down based on your workloads 
e Up to 3GiB/s for reads and | GiB/s for writes 
* Used for unpredictable workloads 
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O 

= 

EFS — Storage Classes Š 
= 

| | ooo = 

“ Storage Tiers (lifecycle management feature — ‘conical — DANG S 
move file after N days) AENG ENG id 

e Standard: for frequently accessed files L3 i | 2 

e Infrequent access (EFS-IA): cost to retrieve files, ` E E E i 
lower price to store. Enable EFS-IA with a Lifecycle ^| FN A access i | B 
Policy : | for 60 days = 

HE NE EFS Standard —  ; > 

* Availability and durability ! S 
e Standard: Multi-AZ, great for prod ee Lifecycle Policy El : 

* One Zone: One AZ, great for dev, backup enabled a ree id 2 

by default, compatible with IA (EFS One Zone-lA) im = 

* Over 90% in cost savings ti EBA o | 
Amazon EFS File System J 

eege o 

3 
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EBS vs EFS — Elastic Block Storage 


e EBS volumes... E jo quM | 
e one instance (except multi-attach 101/102) | p E 4 
* are locked at the Availability Zone (AZ) level | | } 
* gp2: lO increases if the disk size increases | 
e ol can increase IO independently | 


* [o migrate an EBS volume across AZ | | | 
* Take a snapshot | ZX | | S | 

* Restore the snapshot to another AZ | | | EBS | | | | EBS | 

e EBS backups use IO and you shouldnt run ! | a | 
them while your application is handling a lot 


aaa maka aaa aal aaa an aka a e e an a an a a 


of traffic | 
| C ' 
e Root EBS Volumes of instances get apenat | = Lo 
terminated by default if the EC2 instance "7 > t3 ee 
gets terminated. (you can disable that) 
EBS Snapshot 
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EBS vs EFS — Elastic File System 


e Mounting |QQs of instances across AZ En 


! || 
ity Zone 1 "E Availability Zone 2 
l || 


* EFS share website files (WordPress) ! E 
e Only for Linux Instances (POSIX) ! | | : | 


+ EFS has a higher price point than EBS | E 
as a higher price poin n La (E Zä (E 
* Can leverage EFS-IA for cost savings "Mount | Mount 
Target | — | Target | 
e Remember: EFS vs EBS vs Instance Store CORO 
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AVVS Fundamentals — Part || 


Load Balancing, Auto Scaling Groups and EBS Volumes 
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scalability & High Availability 


“ Scalability means that an application / system can handle greater loads 
by adapting. 
* There are two kinds of scalability: 
e Vertical Scalability 
e Horizontal Scalability (= elasticity) 


e Scalability is linked but different to High Availability 


e Lets deep dive into the distinction, using a call center as an example 
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Vertical Scalability 


* Vertically scalability means increasing the size 


of the instance 
* For example, your application runs on a 
t2.micro 
e Scaling that application vertically means 
running it on a t2.large e 
* Vertical scalability is very common for non 
distributed systems, such as a database. 
* RDS, ElastiCache are services that can scale 
vertically. 
e There's usually a limit to how much you can : 
vertically scale (hardware limit) 


junior operator senior operator 


MMM 


oosnjnunseyep 


© Stephane Maarek 


Horizontal Scalability 


* Horizontal Scalability means increasing the 
number of instances / systems for your 
application 


e Horizontal scaling implies distributed systems. 


* This is very common for web applications / 
modern applications 


* [ts easy to horizontally scale thanks the cloud 
offerings such as Amazon EC2 
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High Availability 


* High Availability usually goes hand in 
hand with horizontal scaling 

* High availability means running your 
application / system in at least 2 data 
centers (== Avallability Zones) 


* [he goal of high availability is to survive 
a data center loss 


* [he high avallability can be passive (for 
RDS Multi AZ for example) 


* [he high availability can be active (for 
horizontal scaling) 


High Availability & Scalability For EC2 


* Vertical Scaling: Increase instance size (— scale up / down) 
* From: t2.nano - 0.5G of RAM, | vCPU 
e [o:u-I2tbl.metal — 12.3 TB of RAM, 448 vCPUs 


* Horizontal Scaling: Increase number of instances (— scale out / in) 
* Auto Scaling Group 
* | oad Balancer 


* High Availability: Run instances for the same application across multi AZ 
* Auto Scaling Group multi AZ 
* Load Balancer multi AZ 
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What is load balancing? 


* Load Balances are servers that forward traffic to multiple 
servers (eg, EC2 instances) downstream 
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Elastic Load Balancer 


ae Instance 
| i 


EC2 Instance 


EC2 Instance 
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Why use a load balancer’ 


e Spread load across multiple downstream instances 

* Expose a single point of access (DNS) to your application 
“ Seamlessly handle failures of downstream instances 

* Do regular health checks to your instances 

* Provide SSL termination (HTTPS) for your websites 

* Enforce stickiness with cookies 

* High availability across zones 

“ Separate public traffic from private traffic 
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Why use an Elastic Load Balancer? 


* An Elastic Load Balancer is a managed load balancer 
e AWS guarantees that it will be working 
* AWS takes care of upgrades, maintenance, high availability 
* AWS provides only a few configuration knobs 


* [t costs less to setup your own load balancer but it will be a lot more effort 
on your end 


* [t is integrated with many AWS offerings / services 
* EC2, EC2 Auto Scaling Groups, Amazon ECS 
e AWS Certificate Manager (ACM), Cloud Watch 
e Route 53, AWS WAF AWS Global Accelerator 
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Health Checks 


e Health Checks are crucial for Load Balancers 


* They enable the load balancer to know if instances it forwards traffic to 
are available to reply to requests 


* [he health check is done on a port and a route (/health is common) 
e |f the response is not 200 (OK), then the instance is unhealthy 


Protocol: HTTP 


Port: 4567 
Health Checks 99, Endpoint: /health B: 


Elastic Load Balancer 


EC2 Instance 
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Types of load balancer on AVVS 


* AWS has 4 kinds of managed Load Balancers 


e Classic Load Balancer (v| - old generation) — 2009 — CLB 
-HITR HTTPS,TCP SSL (secure T CP) 


* Application Load Balancer (v2 - new generation) — 2016 — ALB 
e HIIE HTTPS, WebSocket 


* Network Load Balancer (v2 - new generation) — 2017 — NLB 
e [CP TLS (secure TCP), UDP 


* Gateway Load Balancer — 2020 — GWLB 


e Operates at layer 3 (Network layer) — IP Protocol 


* Overall, it is recommended to use the newer generation load balancers as they 
provide more features 


e Some load balancers can be setup as internal (private) or external (public) ELBs 
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Load Balancer Security Groups 


LOAD BALANCER 


HTTPS / HTTP HTTP Restricted 
From anywhere to Load balancer 
Users — °] e 
Load Balancer Security Group: 
Type (i) Protocol (i) Port Range (i) Source (i) Description (i) 
HTTP TCP 80 0.0.0.0/0 Allow HTTP from an... 
HTTPS TCP 443 0.0.0.0/0 Allow HTTPS from a... 
Application Security Group: Allow traffic only from Load Balancer 
Type (i) Protocol (i) Port Range (i) Source (i) Description (i) 
HTTP TCP 80 sg-054b5ff5ea02f2b6e (load-b Allow Traffic only... 
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Classic Load Balancers (vl) 


e Supports TCP (Layer 4), HTTP & 
HTTPS (Layer 7) 


e Health checks are ICP or HTTP L 
based C=) 


* Fixed hostname Client 
AXXX.region.elb.amazonaws.com 
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Application Load Balancer (v2) 


e Application load balancers is Layer 7 (HT TP) 


* Load balancing to multiple H T TP applications across machines 
(target groups) 

* | oad balancing to multiple applications on the same machine 
(ex: containers) 


e Support for HT TP/2 and WebSocket 
“ Support redirects (from HTTP to HTTPS for example) 
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Application Load Balancer (v2) 


* Routing tables to different target groups: 
e Routing based on path in URL (example.com/users & example.com/posts) 
e Routing based on hostname in URL (one.example.com & otherexample.com) 


* Routing based on Query String, Headers 
(example.com/users?id- | 23&order-false) 


* ALB are a great fit for micro services & container-based application 
(example: Docker & Amazon ECS) 


* Has a port mapping feature to redirect to a dynamic port in ECS 
* In comparison, wed need multiple Classic Load Balancer per application 
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Application Load Balancer (v2) 
HTTP Based Traffic 


HTTP 
> 


WWW - Route /user 


External 
Application 


Load Balancer 
(v2) 


WWW Route /search A 
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Target Group 


Target Group 
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Application Load Balancer (v2) 
Target Groups 


* EC2 instances (can be managed by an Auto Scaling Group) — HTTP 
e ECS tasks (managed by ECS itself) — HTTP 

e Lambda functions — HTTP request is translated into a JSON event 
* |P Addresses — must be private IPs 


* ALB can route to multiple target groups 


* Health checks are at the target group level 
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Application Load Balancer (v2) 
Query Strings/Parameters Routing 


Target Group 1 
?Platform=Mobile AWS — EC2 based 


| CH 


Target Group 2 
f=) ?Platform=Desktop On-premises — Private IP routing 
4 > 


External 
Application 


Requests 


WWW < 


Load Balancer 
(v2) 


5 6E 
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Application Load Balancer (v2) 
Good to Know 


* Fixed hostname (XXX.region.elb.amazonaws.com) 


* The application servers dont see the IP of the client directly 
* The true IP of the client is inserted in the header X-Forwarded-For 
* We can also get Port (X-Forwarded-Port) and proto (X-Forwarded-Proto) 


Load Balancer IP 
Client IP E (Private IP) EC2 
12.34.56.78 - ` ^ É instance 


Connection termination 
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Network Load Balancer (v2) D 


* Network load balancers (Layer 4) allow to: 
* Forward TCP & UDP traffic to your instances 
* Handle millions of request per seconds 
e Less latency ~ 100 ms (vs 400 ms for ALB) 


“ NLB has one static IP per AZ, and supports assigning Elastic IP 
(helpful for whitelisting specific IP) 


* NLB are used for extreme performance, T CP or UDP traffic 
e Not included in the AWS free tier 
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Network Load Balancer — larget Groups 


EC2 instances 

IP Addresses — must be private IPs 

Application Load Balancer 

Health Checks support the [TCR HTTP and HTTPS Protocols 
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Target Group 
(EC2 Instances) 


Target Group 
(Application Load Balancer) 
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Target Group 
(IP Addresses) 
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Gateway Load Balancer ez) 


e Deploy, scale, and manage a fleet of 3 party ira 
network virtual appliances in AVVS ES = n 
e Example: Firewalls, Intrusion Detection and TN Application 
Prevention Systems, Ge Packet Inspection (source) (destination) 
Systems, payload manipulation, ... - 4 
raffic traffic 
* Operates at Layer 3 (Network Layer) — IP Gateway 


Packets 


* Combines the following functions: 
* Transparent Network Gateway — single entry/exit 


Load Balancer 


for all traffic — mc | 
* Load Balancer — distributes traffic to your virtual | | 
appliances Target Group 


e Uses the GENEVE protocol on port 608 | | n n n | 


3'd Party Security 
Virtual Appliances 
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Gateway Load Balancer — Target Groups 


* EC2 instances 
* IP Addresses — must be private IPs 


Gateway Gateway 
Load Balancer Load Balancer 


0 te E EE. 


| i-1234567890abcdefO — i-1234567890abcdefO | | 192.168.1.118 10.0.4.21 ! 
I | | ! 
| I 
Target Group i | Target Group 
| 
(EC2 Instances) (IP Addresses) 
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u105'sn(nuunoe1ep'MAWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


Sticky Sessions (Session Affinity) 


* It is possible to implement stickiness so that the A A 
same client is always redirected to the same er a. E a 


instance behind a load balancer 

* This works for Classic Load Balancer, Application | 
Load Balancer, and Network Load Balancer 

e For both CLB & ALB, the "cookie" used for 
stickiness has an expiration date you control 

* Use case: make sure the user doesnt lose his 
session data 


* Enabling stickiness may bring imbalance to the 
load over the backend EC2 instances i i 


EC2 Instance EC2 Instance 
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Sticky Sessions — Cookie Names 


“ Application-based Cookies 
* Custom cookie 
* Generated by the target 
* Can include any custom attributes required by the application 
* Cookie name must be specified individually for each target group 
* Dont use AWSALB, AWSALBAPP, or AWSALBTG (reserved for use by the ELB) 
* Application cookie 
* Generated by the load balancer 


* Cookie name is AWSALBAPP 
e Duration-based Cookies 


* Cookie generated by the load balancer 
* Cookie name is AWSALB for ALB, AWSELB for CLB 
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Cross-Zone Load Balancing 


With Cross Zone Load Balancing: Without Cross Zone Load Balancing: 
each load balancer instance distributes evenly Requests are distributed in the instances of the 
across all registered instances in all AZ node of the Elastic Load Balancer 


6.25 | 6.25 | 6.25 | 6.25 | 


NIMINIM 


BS 


Availability Zone 1 Availability Zone 2 


Availability Zone 1 


lasse ss ee 
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Cross-Zone Load Balancing 


“ Application Load Balancer 
* Enabled by default (can be disabled at the Target Group level) 
* No charges for inter AZ data 


* Network Load Balancer & Gateway Load Balancer 
* Disabled by default 
* You pay charges ($) for inter AZ data if enabled 


* Classic Load Balancer 
* Disabled by default 
* No charges for inter AZ data if enabled 
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SSL/TLS - Basics 


e An SSL Certificate allows traffic between your clients and your load balancer 
to be encrypted in transit (in-flight encryption) 


e SSL refers to Secure Sockets Layer, used to encrypt connections 
* TLS refers to Transport Layer Security, which is a newer version 


* Nowadays, TLS certificates are mainly used, but people still refer as SSL 


* Public SSL certificates are issued by Certificate Authorities (CA) 
e Comodo, Symantec, GoDaddy, GlobalSign, Digicert, Letsencrypt, etc... 


e SSL certificates have an expiration date (you set) and must be renewed 
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Load Balancer - SSL Certificates 


LOAD BALANCER 
HTTP 
Over private VPC 


HTTPS (encrypted) 
Over www 


Users 


* The load balancer uses an X.509 certificate (SSL/TLS server certificate) 
* You can manage certificates using ACM (AWS Certificate Manager) 

* You can create upload your own certificates alternatively 

e HTTPS listener: 


* You must specify a default certificate 

* You can add an optional list of certs to support multiple domains 

* Clients can use SNI (Server Name Indication) to specify the hostname they reach 

* Ability to specify a security policy to support older versions of SSL / TLS (legacy clients) 
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SSL — Server Name Indication (SNI) 


certificates onto one web server (to serve 
multiple websites) 


ts a "newer" protocol, and requires the client 
to indicate the hostname of the target server 
in the initial SSL handshake 


* The server will then find the correct Pee ion | 
certificate, or return the default one TT See " 
CS 
Client ALB 
Note: 5 
* Only works for ALB & NLB (newer Use the correct | i | 
generation), CloudFront ssi gen 
* Does not work for CLB (older gen) | e | 
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www.mycorp.com 


SNI solves the problem of loading multiple SSL ri Target group for 


| Target group for 
Wé : 
i WW Domain?) example Com 


SSL Cert: 
Domain1.example.com 


SSL Cert: 
www.mycorp.com 
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Elastic Load Balancers — SSL Certificates 


* Classic Load Balancer (vl) 
e Support only one SSL certificate 
e Must use multiple CLB for multiple hostname with multiple SSL certificates 


“ Application Load Balancer (v2) 
e Supports multiple listeners with multiple SSL certificates 
e Uses Server Name Indication (SNI) to make it work 


* Network Load Balancer (v2) 
e Supports multiple listeners with multiple SSL certificates 
e Uses Server Name Indication (SNI) to make it work 
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Connection Draining 


* Feature naming 


* Connection Draining — for CLB waiting for existing 
* Deregistration Delay — for ALB & NLB connections to complete. i 


EC2 Instance 


e Time to complete “in-flight requests" while the DRAINING 


instance is de-registering or unhealthy 


e Stops sending new requests to the EC2 
instance which is de-registering 


* Between | to 3600 seconds (default: 300 


ELB 
seconds) | 
e Can be disabled (set value to 0) new connections i 


established to all other instances 
e Set to a low value if your requests are short EC2 Instance 


EC2 Instance 
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Whats an Auto Scaling Group! 


* In real-life, the load on your websites and application can change 
e In the cloud, you can create and get rid of servers very quickly 


* The goal of an Auto Scaling Group (ASG) is to: 
e Scale out (add EC2 instances) to match an increased load 
e Scale in (remove EC? instances) to match a decreased load 
* Ensure we have a minimum and a maximum number of EC2 instances running 
* Automatically register new instances to a load balancer 
e Re-create an EC2 instance in case a previous one is terminated (ex: if unhealthy) 


e ASG are free (you only pay for the underlying EC? instances) 
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Auto Scaling Group in AWS 


Sa na am ka aaa kag a yl, my“ aan a EE Al EC Ae Zei aa ah ef aan e anan pai aana e Ge ët it aaa aan amai e jag ët eg ed Ae. Sen ed gan kana Aë eg amai, eg Sa ia 


Auto Scaling Group 


m—-——----------------:----------------- 


! | 
! | 
EC2 EC2 EC2 EC2 i EC2 EC2 EC2 l 
Instance Instance Instance Instance | Instance Instance Instance i 
! | 

1 
1 


Ka asa kanaka ana ban dud a idin” kan “an qud kan EE et awa kaa ia “jai, d El aa ig ke t ain “aing janin” panan” n am Ka “man ina egene, n aab m ikang “nan jami n daa E dee e “a “ah. Eegiel d det, ressens md d i ee ee es 


Minimum Capacity Scale Out as Needed 


Desired Capacity 


Maximum Capacity 
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Auto Scaling Group in AWS With Load Balancer 


ER Users 


ewer enna mene cece ee ee cee sees sep ese nee eens eee scene panne eee ee sees ses) 


SaaS eae ae eS a i i n jiwa, i i kag nr Sc aa kani kan” eee ere eee kai” ian “maa, ja ga” kamad “jawan, kai aaa ee ee ee ee ee ee ee ang” dan “a, kaa 


Ika lima” ima i lian “jaran” iii: Kai jambat. kiwa “kin “ara kin “ara an ih” arai ianh “awai a (Sl at Yama. Tawa” ed i Kana “ah lt i jawani: ini; Ki Tab kai Kh Th; Tina arip ah es ee (ian jani laahi banah ni “a kani a oo kah. Tama “im dr (CL em dt din” awi jih “aan a 


= 
D 
a 
o 
ij 
O 
CD 
Q 
UJ 
CD 
D 
2 
O 
D 
WOJ"SN|NUINIETEP MMM »5|9JE E|AJ aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


Auto Scaling Group Attributes 


e A Launch Template (older “Launch Configurations" are deprecated) 
e AMI + Instance lype EE 
e FC? User Data ASG Launch Template 
e EBS Volumes 


e Security Groups : mi 


, ! AMI Inst EBS Volumes 
+ SSH Key Pair ! Sg 
e IAM Roles for your EC2 Instances | 
e Network + Subnets Information e A 
| Groups SSH Key Pair — IAM Role 
* | oad Balancer Information | 
e Min Size / Max Size / Initial Capacity 
e Scaling Policies | VPC + Subnets Load 
l Balancer 


TE 
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Auto Scaling - CloudWatch Alarms & Scaling 


e It is possible to scale an ASG based on CloudWatch alarms 
* An alarm monitors a metric (such as Average CPU, or a custom metric) 


e Metrics such as Average CPU are computed for the overall ASG instances 


* Based on the alarm: 
“ We can create scale-out policies (increase the number of instances) 
“ We can create scale-in policies (decrease the number of instances) 


trigger Scaling 


I 1 i [] 
+ ol 
EC2 EC2 EC2 EC2 EC2 
Instance Instance Instance i Instance Instance i i 
oo CloudWatch 
! 1 


baren Alarm 
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Auto Scaling Groups — Dynamic Scaling Policies 


* Target Tracking Scaling 
“ Most simple and easy to set-up 
e Example: | want the average ASG CPU to stay at around 40% 


“ Simple / Step Scaling 
* When a CloudWatch alarm is triggered (example CPU > 70%), then add 2 units 
* When a CloudWatch alarm is triggered (example CPU < 30%), then remove | 

e Scheduled Actions 


* Anticipate a scaling based on known usage patterns 
* Example: increase the min capacity to 10 at 5 pm on Fridays 
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Auto Scaling Groups — Predictive Scaling 


* Predictive scaling: continuously forecast load and schedule scaling ahead 


Analyze historical load Generate forecast Schedule scaling actions 


» » 


4/1 4/15 4/30 4/1 4/15 4/30 4/1 4/15 4/30 


— Load M Capacity 
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Good metrics to scale on Users 
as 
e CPUUtilization: Average CPU 
utilization across your instances | 
“ RequestCountPer Target: to make sure 


the number of requests per EC2 Application 
Load Balancer 


instances is stable 
* Average Network In / Out (if youre E E 
application is network bound) OV 


“ Any custom metric (that you push | 
using CloudWatch) qF d} 


O9"SNINLUNIEFEP MMM »[oJee|A aueudais © NOILNAIYLSIA 803 LON 


© Stephane Maarek 


Auto Scaling Groups - Scaling Cooldowns 


e After a scaling activity happens, you are in Scaling Action 
the cooldown period (default 300 Occurs 
seconds) 


* During the cooldown period, the ASG will 
not launch or terminate additional di 
instances (to allow for metrics to stabilize) tee Cooldown 


Teminate Instance i 
in effect? 


e Advice: Use a ready-to-use AMI to reduce 
configuration time in order to be serving 
request fasters and reduce the cooldown 
period 


Ignore Action 
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RDS, Aurora & ElastiCache 
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Amazon RDS Overview 


* RDS stands for Relational Database Service 
* [ts a managed DB service for DB use SQL as a query language. 


e It allows you to create databases in the cloud that are managed by AWS 
* Postgres 
* MOOL 
e MariaDB 
e Oracle 
e Microsoft SQL Server 
e Aurora (AWS Proprietary database) 
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Advantage over using RDS versus deploying 
DB on EC2 


* RD5 is a managed service: 
e Automated provisioning, OS patching 
* Continuous backups and restore to specific timestamp (Point in Time Restore)! 
e Monitoring dashboards 
* Read replicas for improved read performance 
e Multi AZ setup for DR (Disaster Recovery) 
e Maintenance windows for upgrades 
e Scaling capability (vertical and horizontal) 
e Storage backed by EBS (gp2 or Io!) 


e BUT you cant SSH into your instances 
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RDS — Storage Auto Scaling 
e Helps er increase storage on your RDS DB instance A A A 


dynamically 


* When RDS detects you are running out of free database 
storage, It scales automatically 


* Avoid manually scaling your database storage DE 
* You have to set Maximum Storage Threshold (maximum limit 
for DB storage) 
e Automatically modify storage if: Read/Write 
* Free storage is less than 1076 of allocated storage 
* Low-storage lasts at least 5 minutes jm 
* 6 hours have passed since last modification "E 
* Useful for applications with unpredictable workloads | 


e Supports all RDS database SES (MariaDB, MySQL, 
PostgreSQL, SQL Server, Oracle) 
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RDS Read Replicas for read scalability 


e Up to 15 Read Replicas 


* Within AZ, Cross AZ or Application 
Cross Region 


* Replication is ASYNC, 


so reads are eventually | 
consistent reads wine; reads reads 
e Replicas can be 


romoted to their own 
we eg 


e Applications must ` 
update the connection 


== 


a 


| ASYNC 
string to leverage read i We 
replicas replication replication 
RDS DB RDS DB RDS DB 
instance read instance instance read 
replica replica 
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RDS Read Replicas — Use Cases 


* You have a production database 
that Is taking on normal load Production 


Application 
* You create a Read Replica to run um 
the new workload there reads 


e The production application Is 
unaffected — 
e Read replicas are used for SELECT E 


—— 
ASYNC R 
(not INSERT, UPDATE, DELETE) replication 


(=read) only kind of statements 
RDS DB RDS DB 


instance instance read 
replica 
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Reporting 


Application 


“ You want to run a reporting 
application to run some analytics 
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RDS Read Replicas — Network Cost 


e In AWS there's a network cost when data goes from one AZ to another 
* For RDS Read Replicas within the same region, you don't pay that fee 


mm Em = — 


Same Region / Different AZ | Region/AZ | | Region/AZ 
us-east-1a us-east-1b | | us-east-1a '  eu-west-1b 


vs 
ASYNC ASYNC 
Replication | | ' Replication : 
RDS DB RDSDB | !  RDSDB ^ | RDS DB 
instance Same Region instance read ; instance iCross-Region | instance read 


Free replica $$ | replica 
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RDS Multi AZ (Disaster Recovery) 


Application 
s One DNS name — automatic app 
failover to standby 
* Increase availability writes | || reads 


* Failover in case of loss of AZ,loss of 
network, instance or storage failure 


One DNS name — automatic failover 
e No manual intervention in apps 


* Not used for scaling 


* Note: The Read Replicas be setup as 


Multi AZ for Disaster Recovery (DR) SING 


RDS DB replication 
instance standby 


RDS Master DB 
(AZ B) instance (AZ A) 
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RDS — From Single-AZ to Multi-AZ 


* Zero downtime operation (no RDS DB Standby DB 
need to stop the DB) instance 
e Just click on "modify" for the — —— 


database 


e The following happens internally: SYNC 
* A snapshot is taken SSES 
* Anew DB is restored from the 
snapshot in a new AZ = T 
e Synchronization is established da La — 
between the two databases 
DB snapshot 
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RDS Custom 


* Managed Oracle and Microsoft SQL Server Database with OS and 
database customization 
apply 


e RDS: Automates setup, operation, and scaling of database In AWS  stomizations 


* Custom: access to the underlying database and OS so you can 
* Configure settings 

e Install patches B EC2 Instance 

e Enable native features - d 

; : mazon| Automation ` 

* Access the underlying EC2 Instance using SSH or SSM Session Manager [iz a ads GP 


* De-activate Automation Mode to perform your customization, 
better to take a DB snapshot before 
* RDS vs. RDS Custom 


e RDS: entire database and the OS to be managed by AWS 
e RDS Custom: full admin access to the underlying OS and the database 


c 
Lë 
(D 
m 
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Amazon Aurora 


* Aurora is a proprietary technology from AWS (not open sourced) 


* Postgres and MySQL are both supported as Aurora DB (that means your 
drivers will work as if Aurora was a Postgres or MySQL database) 


e Aurora Is “AWS cloud optimized" and claims 5x performance improvement 
over MySQL on RDS, over 3x the performance of Postgres on RDS 


e Aurora storage automatically grows in increments of IOGB, up to 128 TB. 


e Aurora can have up to 15 replicas and the replication process is faster than 
MySQL (sub 10 ms replica lag) 


* Fallover in Aurora is instantaneous. Its HA (High Availability) native. 
* Aurora costs more than RDS (2076 more) — but is more efficient 
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Aurora High Availability and Read Scaling 


* 6 copies of your data across 3 AZ: 
* 4 copies out of 6 needed for writes 
* 3 copies out of 6 need for reads 
e Self healing with peer-to-peer replication 
e Storage Is striped across |00s of volumes 


* One Aurora Instance takes writes (master) 


| Z2 | AZ 3 


Li DD GG 
eee «34 


Shared storage Volume 
Replication + Self Healing + Auto Expanding 
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e Automated failover for master in less than 
30 seconds 


“ Master + up to 15 Aurora Read Replicas 
serve reads 


“ Support for Cross Region Replication 
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Aurora DB Cluster 


== 
tee 


client 


Writer Endpoint 


Reader Endpoint 
Connection Load Balancing 


D GG 
8 sz 9 9 $9 


Pointing to the master 


Shared storage Volume 


Auto Expanding from 10G to 128 TB 
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Features of Aurora 


* Automatic fail-over 

* Backup and Recovery 

* |solation and security 

e Industry compliance 

* Push-button scaling 

* Automated Patching with Zero Downtime 
* Advanced Monitoring 


* Routine Maintenance 
* Backtrack restore data at any point of time without using backups 
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Aurora Replicas - Auto Scaling 


L 


C=) 
Client 


Many Requests 


Writer Endpoint 


Reader Endpoint Endpoint Extended 


er Amazon Amazon Amazon Amazon 
Aurora CPU Aurora CPU Aurora Aurora 
= Usage Usage 


Replicas Auto Scaling 


— 


Shared Storage Volume 


»5 
= 
ps 
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Aurora — Custom Endpoints 


* Define a subset of Aurora Instances as a Custom Endpoint 
* Example: Run analytical queries on specific replicas 
* [he Reader Endpoint is generally not used after defining Custom Endpoints 


[ ] Analytical Queries 


C=) 
Client 


Writer Endpoint Reader Endpoint Custom Endpoint 


Amazon Amazon 
Amazon Amazon Aurora Aurora 
Aurora Aurora = = 


db.r3.large db.r3.large db.r5.2xlarge  db.r5.2xlarge 


iti 


Shared Storage Volume 
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Aurora Serverless 


e Automated database 
instantiation and auto- 
scaling based on actual 
usage 


“ Good for infrequent, 
intermittent or 
unpredictable workloads 


* No capacity planning 
needed 


* Pay per second, can be 
more cost-effective 
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TT Client 


L => 


Proxy Fleet 
(managed by Aurora) 


Shared storage Volume 
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Aurora Multi-Master 


e In case you want continuous write availability for the writer nodes 
* Every node does R/W - vs promoting a Read Replica as the new master 


Client 
Multiple DB Connections 


L 


C=) 


Multiple writer 
endpoints 


Amazon 
Aurora 


Amazon Replicate Amazon Replicate 


Aurora Aurora 
=) LÉ 


Shared Storage Volume 
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“ Promoting another region (for disaster recovery) has an 
RTO of < | minute 


à à; Tp" Applications 
* Typical cross-region replication takes less than | second di 


Read Only 


ó 

= 

Global Aurora sisi "E | > 
| © 

o 

= 

“ Aurora Cross Region Read Replicas: SC > 
* Useful for disaster recovery E = 

e | | i Z 
Simple to put in place E ZZE 

* Aurora Global Database (recommended): | Read / Write 8 
e | Primary Region (read / write) ^ ^: Qe 00 0000 00 777777 aaa = 

e Up to 5 secondary (read-only) regions, replication lag is. weg iE 
eu-west-1 - SECONDARY region ` ` < 

less than | second | |È 

e Up to 16 Read Replicas per secondary region | | 2 

* Helps for decreasing latenc | Amazon | £ 

D 8 y Ini A g- - 

E 

! D 

|| £ 

3 

= 

7 

6 


mmm 2 
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Aurora Machine Learning 


2 
Q 
"n 
Z 
z 
pel 
p" TES): "e D 
“ Enables you to add ML-based predictions to 885 2] Application = 
your applications via SQL = 
| mE | | SQL query query results 2 
e Simple, optimized, and secure integration (Recommended products?) (red shirt, blue...) © 
| o 
between Aurora and AWS ML services 8 
Amazon Aurora zi 
“ Supported services 3 
e Amazon SageMaker (use with any ML model) | data : Decision S 
. . user’s profile, 
* Amazon Comprehend (for sentiment analysis) asele A P 4 à 
£ 


* You dont need to have ML experience 


sms —————€— EE ee 
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| Ba 

* Use cases: fraud detection, ads targeting, | a 
sentiment analysis, product recommendations | |e 

| Amazon Amazon | 13 

|! SageMaker Comprehend | |= 

o 

e 

o 
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RDS Backups Fe vir 


* Automated backups: 
* Daily full backup of the database (during the backup window) 
* Transaction logs are backed-up by RDS every 5 minutes 
e => ability to restore to any point in time (from oldest backup to 5 minutes ago) 
e | to 35 days of retention, set O to disable automated backups 


* Manual DB Snapshots 
e Manually triggered by the user 
* Retention of backup for as long as you want 


* Trick: in a stopped RDS database, you will still pay for storage. If you plan on 
stopping it for a long time, you should snapshot & restore instead 
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Aurora Backups Fa del 


e Automated backups 
* | to 35 days (cannot be disabled) 
* point-in-time recovery in that timeframe 


“ Manual DB Snapshots 
e Manually triggered by the user 
* Retention of backup for as long as you want 
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RDS & Aurora Restore options G9 — E 


* Restoring a RDS / Aurora backup or a snapshot creates a new database 


* Restoring MySQL RDS database from 53 
* Create a backup of your on-premises database RDS = 
e Store it on Amazon 53 (object storage) = 
* Restore the backup file onto a new RDS instance running MySQL 


* Restoring MySQL Aurora cluster from 53 
* Create a backup of your on-premises database using Percona XtraBackup mem 
e Store the backup file on Amazon 53 ^B 
* Restore the backup file onto a new Aurora cluster running MySQL 


© Stephane Maarek 


o5'snijnuin2e3ep"MMM »[oJee|A eueudeis © NOILNAINLSIG 803 LON 


Aurora Database Cloning 


* Create a new Aurora DB Cluster from an 
existing one 


* Faster than snapshot & restore 


* Uses copy-on-write protocol 


* Initially, the new DB cluster uses the same data 
volume as the original DB cluster (fast and efficient 
— no copying is needed) 

* When updates are made to the new DB cluster 
data, then additional storage is allocated and data is 
copied to be separated 


* Very fast & cost-effective 


* Useful to create a "staging" database from a 
"production" database without impacting the 
production database 
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Production Aurora 


Staging Aurora 
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RDS & Aurora Security 


* At-rest encryption: 
* Database master & replicas encryption using AWS KMS — must be defined as launch time 
e |f the master is not encrypted, the read replicas cannot be encrypted 
* [o encrypt an un-encrypted database, go through a DB snapshot & restore as encrypted 


* In-flight encryption: TLS-ready by default, use the AWS TLS root certificates client-side 
e IAM Authentication: IAM roles to connect to your database (instead of username/pw) 
* Security Groups: Control Network access to your RDS / Aurora DB 

* No SSH available except on RDS Custom 

e Audit Logs can be enabled and sent to CloudWatch Logs for longer retention 
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RDS Proxy 6 

Amazon RDS Proxy EH: 
= 

VPC = 

* Fully managed database proxy for RDS bambda functions S 
* Allows apps to pool and share DB connections = 
a Ed ine database N N 9 

“ Improving database efficiency by reducing the stress , DW ` © 
on database resources (es, CPU, RAM) and DDR ig 2 
minimize open connections (and timeouts) : Ei 

e Serverless, autoscaling, highly available (multi-AZ) - 
* Reduced RDS & Aurora failover time by up 6696 Private subnet z 
e Supports RDS (MySQL, PostgreSQL, MariaDB, MS ra = 
SQL Server) 2 Aeon (MySQL, PostgreSQL) = Ee : 

* No code changes required for most apps - 
* Enforce IAM Authentication for DB, and securely i 
store credentials in AWS Secrets Manager a 

e RDS Proxy is never publicly accessible (must be amazon) RDS DB 5 
accessed from V E El Instance = 

8 


© 
= 
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Amazon ElastiCache Overview 


* The same way RDS is to get managed Relational Databases... 
* ElastiCache is to get managed Redis or Memcached 


* Caches are in-memory databases with really high performance, low 
latency 


* Helps reduce load off of databases for read intensive workloads 
* Helps make your application stateless 


* AWS takes care of OS maintenance / patching, optimizations, setup, 
configuration, monitoring, failure recovery and backups 


* Using ElastiCache involves heavy application code changes 
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Elasticache 
Solution Architecture - DB Cache 


* Applications queries 
FlastiCache, if not 
available, get from RDS 
and store in ElastiCache. 


Amazon 
ElastiCache 


Cache hit 


E 
* Helps relieve load in RDS 


Cache miss 
e Cache must have an application 


invalidation strategy to 
make sure only the most 
current data Is used in 
there. 


Read from DB 


Write to cache 
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FlastiCache 
Solution Architecture — User Session Store 


* User logs into any of the 
application 


* [he application writes 
the session data into 
ElastiCache 


e The user hits another 
instance of our 
application 


e The instance retrieves the 
data and the user Is 
already logged in 


Write session 


application 


Amazon 
ElastiCache 


Retrieve session 


application pean 


User 


application 
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FlastiCache — Redis vs Memcached 


REDIS MEMCACHED 
e Multi AZ with Auto-Fallover * Multi-node for partitioning of 


* Read Replicas to scale reads and data (sharding) 
have high availability 


e Data Durability using AOF 
persistence 


* No high availability (replication) 


* Non persistent 


* Backup and restore features * No backup and restore 
“ Supports Sets and Sorted Sets e Multi-threaded architecture 
Sei Replication. Sei [LE n (Lem 
sharding 
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ElastıiCache — Cache Security 


e ElastiCache supports IAM Authentication for Redis EC2 Security group 
* IAM policies on ElastiCache are only used for | 
AWS APl-level security Ec2 E |dient 
e Redis AUTH 
e You can set a "password/token" when you create a SSL encryption 
Redis cluster Redis AUTH 


e This is an extra level of security for your cache (on top 
of security groups) Redis Security group 


e Support SSL in flight encryption pean 


e Memcached 
e Supports SASL-based authentication (advanced) 
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Patterns for ElastiCache 


* Lazy Loading: all the read data is 
cached, data can become stale in 
cache 


Write Through: Adds or update 
data in the cache when written 
to a DB (no stale data) 


Session Store: store temporary 
session data In a cache (using 
TTL features) 


Amazon 
ElastiCache 


Cache hit 


Cache miss 


application 


Read from DB 


A 


uote: [here are only two hard 
t s in Computer Science: cache 
Idation and naming things 


R 
=D 
», 


N 


inva 
Amazon 
RDS 


Write to cache 


Lazy Loading illustrated 
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ElastiCache — Redis Use Case 


* Gaming Leaderboards are computationally complex 
* Redis Sorted sets guarantee both uniqueness and element ordering 


e Each time a new element added, it's ranked in real time, then added in 
correct order 


ElastiCache 
| al 


for Redis 


| T 
A | ElastiCache 
for Redis 
[ES] 
Clients | ElastiCache 
for Redis 
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Real-time Leaderboard 
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What is DNS? 


* Domain Name System which translates the human friendly hostnames 
into the machine IP addresses 


e www.google.com => |/2.21 7.18.36 
e DNS is the backbone of the Internet 
e DNS uses hierarchical naming structure 


com 
example.com 
www.example.com 


api.example.com 
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DNS Terminologies 


* Domain Registrar: Amazon Route 53, GoDaddy, ... 

e DNS Records: A, AAAA, CNAME, NS, ... 

* Zone File: contains DNS records 

* Name Server: resolves DNS queries (Authoritative or Non-Authoritative) 
* Top Level Domain (TLD): com, .us, in, .gov, .org, ... 

“ Second Level Domain (SLD): amazon.com, google.com, ... 


URL 


OT 
nttp://apl www,example.com.. 


Protocol TLD 
SLD 
Sub Domain 
FQDN (Fully Qualified Domain Name) 
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How DNS Works 


Web Server 
[D (example.com) 
d (IP:9.10.11.12) 


2 
ple com d 


Managed by ICANN 


exa 


A Root DNS Server 


example.com? 


an TT 9.10.11.12 
D jc—2- 


Web Browser 
You want to access Local DNS Server 
example.com 


example.com? 


Managed by IANA 
(Branch of ICANN) 


<< ——————————— — 
example.com NS 5.6.7.8 


ET 


TLD DNS Server 
(.com) 


Assigned and Managed by 
your company or assigned by 
your ISP dynamically Managed by Domain Registrar 


(e.g., Amazon Registrar, Inc.) 


SLD DNS Server 
(example.com) 
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Amazon Route 53 


* A highly available, scalable, fully 
managed and Authoritative DINS 
e Authoritative = the customer (you) 
can update the DINS records 
e Route 53 is also a Domain Registrar 


* Ability to check the health of your 
resources 


* [he only AWS service which 
provides 100% availability SLA 


e Why Route 53! 53 is a reference to 
the traditional DINS port 
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example.com? 


L] 


© =“ 
Client 


54.22.33.44 


AWS Cloud 


Public IP 
54.22.33.44 


EC2 Instance 


osen A E 


Amazon 
Route 53 
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Route 53 — Records 


“ How you want to route traffic for a domain 


e Each record contains: 
e Domain/subdomain Name — e.g., example.com 
e Record Type — eg, A or AAAA 
e Value — eg, 12.34.56.78 
* Routing Policy — how Route 55 responds to queries 
e [TL — amount of time the record cached at DNS Resolvers 


* Route 53 supports the following DINS record types: 


* (must know) A / AAAA / CNAME / NS 
* (advanced) CAA / DS / MX / NAPTR / PTR / SOA / TXT / SPF / SRV 
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Route 53 — Record [ypes 


* A — maps a hostname to IPv4 
e AAAA — maps a hostname to IPv6 


* CNAME — maps a hostname to another hostname 
* [he target is a domain name which must have an A or AAAA record 
* Cant create a CINAME record for the top node of a DNS namespace (Zone 
Apex) 
* Example: you can't create for example.com, but you can create for 
www.example.com 


e NS — Name Servers for the Hosted Zone 
e Control how traffic is routed for a domain 
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Route 53 — Hosted Zones C 1 


* A container for records that define how to route traffic to a domain and 
its subdomains 


* Public Hosted Zones — contains records that specify how to route 
traffic on the Internet (public domain names) 
application | .mypublicdomain.com 


* Private Hosted Zones — contain records that specify how you route 
traffic within one or more VPCs (private domain names) 
application |.company.internal 


* You pay $0.50 per month per hosted zone 
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Route 53 — Public vs. Private Hosted Zones 


Public Hosted Zone 


example.com? 
3. C1 
C= 54.22.33.44 


Client Public Hosted Zone 


EC2 Instance Application 
(Public IP) Load Balancer 


S3 Bucket Amazon 
CloudFront 


© Stephane Maarek 


EC2 Instance 


Private Hosted Zone 
A 


œ 
© 
c 
Dë 
[0] 
fe 
= 
D 
[on 
© 
x< 
Kei 
Ze 
TD 


EC2 Instance 


(webapp.example.internal) (api.example.internal) 


(Private IP) 


(Private IP) 


Private Hosted Zone 


Amazon 


RDS B 


DB Instance 
(db.example.internal) 
(Private IP) 
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Route 53 — Records | TL (Time lo Live) 


e High TTL — e.g., 24 hr 


e Less traffic on Route 53 ons per a 
* Possibly outdated records re 
e Low TTL — e.g., 60 sec. Amazon 
* More traffic on Route 53 ($$) CACHE [ ] B I j Route 53 
TTL 
e Records are outdated for less C= TM 
time Client Requess 
Will cache the result for HTT 


e P 
Easy to change records The TTL of the record Response 


e Except for Alias records, TTL 
is mandatory for each DNS 


record Web Server 
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CNAME vs Alias 


e AWS Resources (Load Balancer, CloudFront...) expose an AWS hostname: 
* Ib|l-1234.us-east-2.elb.amazonaws.com and you want myapp.mydomain.com 


s CNAME: 
“ Points a hostname to any other hostname. (app.mydomain.com => blabla.anything.com) 
s ONLY FOR NON ROOT DOMAIN (aka. something. mydomain.com) 

* Alias: 
* Points a hostname to an AWS Resource (app.mydomain.com => blabla.amazonaws.com) 


“ Works for ROOT DOMAIN and NON ROOT DOMAIN (aka mydomain.com) 


* Free of charge 
* Native health check 
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Route 53 — Alias Records 


Amazon 
Route 53 
“ Maps a hostname to an AWS resource 


Alias Record (Enabled) 


“ An extension to DNS functionality 


S © NOILNGIYLSIG 401 LON 


e Automatically recognizes changes in the 
resources IP addresses 


ug. 


example.com A MyALB-123456789.us- d 

, : TE 
* Unlike CNAME, it can be used for the top node d. 
of a DNS namespace (Zone Apex), e.g.: ` 
example.com = 
| | z 
4 Alias Record IS always of type ALAA, Vi for AE eo Denon. 3 
AWS resources (IPv4 / IPv6) AWS-Managed S 
, IP Addresses might change E = 
e You cant set the TTL d = 
Application = 
Load Balancer 9 


Route 53 — Alias Records largets 


e Elastic Load Balancers I e " 
e CloudFront Distributions O% | | 
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Elastic Amazon Amazon 
e API Gateway Load Balancer CloudFront API Gateway 
* Elastic Beanstalk environments B a 
e 53 Websites p 
* VPC Interface Endpoints ds meus pes 


e Global Accelerator accelerator 


e Route 53 record in the same hosted zone 


Global Accelerator Route 53 Record 
(same Hosted Zone) 


e You cannot set an ALIAS record for an EC2 DNS name 


oo snjnunseyep MMM 21e 
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Route 53 — Routing Policies 


e Define how Route 53 responds to DNS queries 


“ Dont get confused by the word “Routing” 
e It's not the same as Load balancer routing which routes the traffic 
s DNS does not route any traffic, it only responds to the DNS queries 


e Route 53 Supports the following Routing Policies 
e Simple 
* Weighted 
* Failover 
* Latency based 
* Geolocation 


e Multi-Value Answer 
* Geoproximity (using Route 53 Traffic Flow feature) 
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Routing Policies — Simple 
Single Value 
* Typically, route traffic to a single — 
resource i 
LJ A 11.22.33.44 


* Can specify multiple values in the 


Client 
same record Amazon 
Route 53 
e |f multiple values are returned, a 
random one is chosen by the client 
* When Alias enabled, specify only Multiple Value 
one AWS resource — 
* Cant be associated with Health Jam) 
Checks C= A 11.22.33.44 
Client A 55.66.77.88 nem 
ho A 99.11.22.33 Roue 


a random value 
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Routing Policies — Weighted 


Control the % of the requests that go to each 
specific resource 


* Assign each record a relative weight: 
: | u Weight for a specific record 
traf fic (76) ^ Sum of all the weights for all records 
* Weights don't need to sum up to 100 
* DNS records must have the same name and type 
e Can be associated with Health Checks 


* Use Cases. load balancing between regions, testing arah a a 
new application Versions... Amazon 


e Assign a weight of D to a record to stop sending ` Tote"? 
traffic to a resource 


Weight: 70 


Weight: 20 


e |f all records have weight of O, then all records will 
be returned equally 


Weight: 10 
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Routing Policies — Latency-based 


* Redirect to the resource that 
has the least latency close to us 


“ Super helpful when latency for 


A 
users is a priority e A 
° eo Is based sih AU 
pd users an a 
1) A 


e Germany users may De (us-east- 
directed to the US (if that's the 
lowest latency) ALB 


| | (ap-southeast-1) 
* Can be associated with Health ti 
Checks (has a failover 
capability) 
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Route 53 — Health Checks 


* HTTP Health Checks are only for public 
resources 


* Health Check => Automated DNS Failover: 
|. Health checks that monitor an endpoint 
(application, server, other AWS resource) 


Pa Health checks that monitor other health ponen PME a 7 73 
checks (Calculated Health Checks) d | E | 


3. Health checks that monitor CloudWatch | | | 


Alarms (full control II) — e.g., throttles of 


Amazon Route 53 
DNS Record 
(latency, geoproximity, ... 


ALB || ALB | 
DynamoDB, alarms on RDS, custom metrics, | ME | 
... (helpful for private resources) — " — "ug om " —— | 
| | Auto Scaling group | | | | Auto Scaling group 
* Health Checks are integrated with CW a i INE i 
metrics z | od! 
EC2 Instance A F4 EC2 Instance 


Lomme | ^ | kama = re rm rm rm rm em em em 
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Health Checks — Monitor an Endpoint 


* About |5 global health checkers will check the ma 
endpoint health (us-east-1) (us-west-1) (sa-east-1) 


* Healthy/Unhealthy Threshold — 3 (default) 


I 


= 
* Interval — 30 sec (can set to 10 sec — higher cost) = 
“ Supported protocol: HTTP HTTPS and T CP d 
e If > 18% of health checkers report the endpoint is 3 
healthy, Route 53 considers it Healthy. Otherwise, it’s "hen DUET = 
Unhealthy : | a 
* Ability to choose which locations you want Route 53 to | dips ka M 
WE l | Health Checkers IP 
* Health Checks pass only when the endpoint | Alp address range 


responds with the 2xx and 3xx status codes 
* Health Checks can be setup to pass / fail based on 


the text in the first 5120 bytes of the response | ! Auto Scaling group 
* Configure you router/firewall to allow incoming |: n 
requests from Route 53 Health Checkers | 


EC2 Instance 


ee ee si 


https://ip-ranges.amazonaws.com/ip-ranges.json 


Wwod’snjnundseyep MMM »[9J e E |AJ 


(9 Stephane Maarek 


Route 53 — Calculated Health Checks 


Amazon Route 53 


* Combine the results of multiple Health 
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Checks into a single Health Check | Y 
! Health Check 
“ You can use OR, AND, or NOT | (Parent) 
* Can monitor up to 256 Child Health Checks | | S 
e Specify how many of the health checks need | | | z 
to pass to make the parent pass Q Y Qs 
' Health Check Health Check Health Check + 
* Usage: perform maintenance to your website | (Child) (Child) (child) |$ 
without causing all health checks to fal . . | | . | JAH | MEM | NEN = 
monitor monitor monitor zi 
D 0 OF 


EC2 Instance EC2 Instance EC2 Instance 


UJ02 
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Health Checks — Private Hosted Zones 


e Route 53 health checkers are outside the 
VPC 


* They cant access private endpoints 
(private VPC or on-premises resource) 


Private subnet 


Health Checker 
(us-east-1) 


e You can create a CloudWatch Metric and E 
associate a CloudWatch Alarm, then O 
create a Health Check that checks the monitor Doll 


alarm itself CloudWatch 
Alarm 
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Routing Policies — Failover (Active-Passive) 


EC2 Instance 


Health Check (Primary) 
(mandatory) 
L DNS Requests 
c=) Failover 
Client ! 
Amazon | 
Route 53 | 


EC2 Instance 


(Secondary — Disaster Recovery) 
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Routing Policies — Geolocation 


A 11.22.33.44 
* Different from Latency-based! 
* [his routing is based on user location 


e Specify location by Continent, Country 
or by US State (if there's overlapping, 


most precise location selected) Default 


tí » A 99.11.22.33 
“ Should create a "Default" record (in 


case there's no match on location) 


e Use cases: website localization, restrict 
content distribution, load balancing, ... 


e Can be associated with Health Checks 


A 55.66.77.88 
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Routing Policies — Geoproximity 


* Route traffic to your resources based on the geographic location of users and 
resources 


* Ability to shift more traffic to resources based on the defined bias 


* To change the size of the geographic region, specify bias values: 
* To expand (| to 99) — more traffic to the resource 
e To shrink (| to -99) — less traffic to the resource 


* Resources can De 
e AWS resources (specify AWS region) 
e Non-AWS resources (specify Latitude and Longitude) 


e You must use Route 53 Traffic Flow to use this feature 
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Routing Policies — Geoproximity 


us-east-1 
Bias: O 
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Routing Policies — Geoproximity 
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AL 


us-east-1 
Bias: 50 
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Routing Policies — IP-based Routing 


— 
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| í : User B A A User A 
* Routing is based on clients IP addresses RARE) (203.0.113.56 


* You provide a list of CIDRs for your clients 
and the corresponding endpoints/locations Route 53 
(user-IP-to-endpoint mappings) opcs 
* Use cases: Optimize performance, reduce 
location-1 — 203.0.113.0/24 
network costs... 


location-2 ` 200.5.4.0/24 


* Example: route end users from a particular Records 
ISP to a specific endpoint 


example.com 1.2.3.4  location-1 


example.com 5.6.7.8  location-2 


EC2 Instance EC2 Instanc 
(5.6.7.8) (1.2.3.4) 
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Routing Policies — Multi-Value 


“ Use when routing traffic to multiple resources 
* Route 53 return multiple values/resources 


* Can be associated with Health Checks (return only values for healthy resources) 


Up to 8 healthy records are returned for each Multi-Value query 


IMulti-Value is not a substitute for having an ELB 


Name Type Value TTL Set ID Health Check 
www.example.com A Record 192.0.2.2 60 Web1 A 
www.example.com A Record 198.51.100.2 60 Web2 B 
www.example.com A Record 203031132 60 Web3 C 
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Domain Registar vs. DNS Service 


* You buy or register your domain name with a Domain Registrar typically by 
paying annual charges (e.g., GoDaddy, Amazon Registrar Inc. ...) 


* The Domain Registrar usually provides you with a DNS service to manage 
your DINS records 


* But you can use another DNS service to manage your DNS records 


. — the domain from GoDaddy and use Route 53 to manage 
your DNS records 


purchase 


O GoDadd " example.com A manage DNS records 
y- 


User 


Amazon 
Route 53 
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GoDaddy as Registrar & Route 53 as DNS Service 


O GoDaddy 


Records Amazon Public Hosted Zone 
We can't display your DNS information because your nameservers aren't Route 53 stephanetheteacher.com 


managed by us. 


v Hosted zone details Edit hosted zone 


Hosted zone ID Type 
Z30IUJCCWPKZUV Public hosted zone 


Name servers 


ns-252.awsdns-31.com 
ns-1468.awsdns-55.org 
ns-633.awsdns-15.net 
ns-1800.awsdns-33.co.uk 


Record count 


Description 


ostedZone created by Route53 Registrar 


Nameservers 


Using custom nameservers 


Nameserver 


@uery log 


ns-1083.awsdns-07.org 


ns-932.awsdns-52.net 


ns-1911.awsdns-46.co.uk 


ns-481.awsdns-60.com 
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3 Party Registrar with Amazon Route 53 


e If you buy your domain on a 3 party registrar, you can still use Route 
53 as the DNS Service provider 


|. Create a Hosted Zone in Route 53 


2. Update NS Records on 3'¢ party website to use Route 53 Name 
Servers 


e Domain Registrar [= DNS Service 
“ But every Domain Registrar usually comes with some DNS features 


o5'snijnuin2e3ep"MMM »[oJee|A BUeYdaIS © NOILNAINLSIG 803 LON 


© Stephane Maarek 


Classic Solutions Architecture 
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Section Introduction 


* These solutions architectures are the best part of this course 
* Lets understand how all the technologies we ve seen work together 
* [his is a section you need to be 100% comfortable with 


* We'll see the progression of a Solution's architect mindset through many 
sample case studies: 
e WhatisTheTime.Com 


e MyClothes.Com 

e MyWordPress.Com 

e Instantiating applications quickly 
* Beanstalk 
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Stateless Web App: Whatls The Time.com 


e Whatls The Time.com allows people to know what time it Is 

“ We don't need a database 

“ We want to start small and can accept downtime 

* We want to fully scale vertically and horizontally, no downtime 
* | et's go through the Solutions Architect journey for this app 


* | ets see how we can proceed! 
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Stateless web app: What time is It? 
Starting simple 


Elastic IP Address 


What time is it? T2 
T2 
eo 
A 5:30 pm! 


User 


Public EC2 
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stateless web app: What time is It? 
scaling vertically 


What time is it? 
> Elastic IP Address 


OQ 


7:30 pm! 


What time is it? 


» 


Downtime while upgrading to M5 
M UU 


5:30 pm! 
User 


What time is it? Public EC2 


ESSI ic E 


<4 


6:30 pm! 
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stateless web app: What time is It? 
Scaling horizontally 


What time is it? 


aeos 


Be 
Ss [ge 
E 


What time is it? 


oo 
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Stateless web app: What time is It? 
Scaling horizontally 


Public EC2 instance, 
No Elastic IP 


A Record < 
TTL 1 hour 


| 


DNS Query A Q What time is it? 
For api.whatisthetime.com Gë EE 


7:30 pm! 


Q What time is it? 
oo 
lax 5:30 pm! 


What time is it? 


v 


d 
ag 


6:30 pm! 
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Stateless web app: What time Is It! 
Scaling horizontally, adding and removing instances 


DNS Query la Q What time is it? 

For api.whatisthetime.com INSTANCE IS GONE! 
A Record < 

TTL 1 hour 7:30 pm! 


A Q What time is it? 
> 


< 


la Q What time is it? 
EE > Ec Public EC2 instance, 
* No Elastic IP 
N 5:30 pm! 


6:30 pm! 
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Stateless web app: What time is It? 
Scaling horizontally, with a load balancer 


Q What time is it? MEN NENG | MEME NO 
Availability zone 1 i Availability zone 1 i 


Restricted ! 
Security groups rules: 


| ELB+ | 
| Health Checks ` 


|. Private 
: EC2instances | 


DNS Query 
For api.whatisthetime.com 
Alias Record Gi 
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Stateless web app: What time is It? 
Scaling horizontally, with an auto-scaling group 


QT timeisit? MEN NENG | EN DEC as | 
! Availability zone 1 i ! Availability zone 1 Í 


Private 
EC2 instances 


DNS Query | | | | | | 
For api.whatisthetime.com | ELB+ | De ist ld 
Alias Record ES , Health Checks | [^ E 
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Stateless web app: What time is It? 
Making our app multi-AZ 


AT time is it? MEUM CE eet | m CPC AN 
! Availability zone1to3 | GC Availability zone 1 i 


A 


{nek 
g 


DNS Query ELE 
For api.whatistheti i | 

Health Checks : 
Alias Record |- "CX E  . 0j 


* Multi AZ | Ris DEINER | 


Availability zone 3 
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Minimum 2 AZ => Lets reserve capacity 


fe mm mm rm rm pm rm pm pm rm rm rm pm rm rm mm rm TT fer mm rm rm mm mm rm rm pm rm rm pm rm rm rm pm rm rm 


|| || 
ı Availability zone 1to3 | i Availability zone 1 | 
|| 


Availability zone 2 


DNS Query | ELB + | | 
For api.whatisthetime.com |! Health Checks | n m 
Alias Record + Multi AZ —_—A_—IE 


|. Minimum capacity 
= reserved instances 
| = cost savings 
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In this lecture we ve discussed... 


* Public vs Private IP and EC2 instances 

* Elastic IP vs Route 53 vs Load Balancers 

e Route 53 T TL, A records and Alias Records 

e Maintaining EC2 instances manually vs Auto Scaling Groups 
e Multi AZ to survive disasters 

e ELB Health Checks 

e Security Group Rules 

* Reservation of capacity for costing savings when possible 


* Were considering 5 pillars for a well architected application: 
costs, performance, reliability, security, operational excellence 
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Stateful Web App: MyClothes.com 


e MyClothes.com allows people to buy clothes online. 
* [heres a shopping cart 
* Our website is having hundreds of users at the same time 


* We need to scale, maintain horizontal scalability and keep our web 
application as stateless as possible 


* Users should not lose their shopping cart 
* Users should have their details (address, etc) in a database 


* | ets see how we can proceed! 
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Stateful Web App: MyClothes.com 


Availability zone 3 


i5) 
ee E 
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Stateful Web App: MyClothes.com 
Introduce Stickiness (Session Affinity) 


E rm rm ete ee eee ee ee rm rm rm HH 


Availability zone 1 


t 


[mI 


pa cc ccc 


Dy es ah a aa pani i a hs a me a es adi 


E | | 


[Er E 
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Stateful Web App: MyClothes.com 
Introduce User Cookies 


r------------------- 


| ' Stateless 

ı | HTTP requests are heavier 

| | Security risk 

! ! (cookies can be altered) 

| t Cookies must be validated 

| ' Cookies must be less than 4KB 


Y Send shopping cart 
content in Web Cookies: 


Availability zone 3 


less ea 
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Stateful Web App: MyClothes.com 
Introduce Server Session 


- | ElastiCache 


pa 


r------------------- 


Y Send session id in ! 
A Web Cookies | 


less ea 


Store / retrieve 
session data 


Availability zone 2 


(0049 


bem ee an ee an ee ee ea en en mm an mm 


r------------------ 


Availability zone 3 


Jus} Amazon DynamoDB 


| | (alternative) 
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Stateful Web App: MyClothes.com 
storing User Data in a database 


ElastiCache 


nn 


S 


Store / retrieve user data 
(address, name, etc) 
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Stateful Web App: MyClothes.com 
Scaling Reads 


ElastiCache 


nn 


S 


RDS 
SCH Master 


ER (writes) 


A 


replication 
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Read Replicas 
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Stateful Web App: MyClothes.com 
Scaling Reads (Alternative) — Lazy Loading 


ElastiCache 
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Stateful Web App: MyClothes.com 
Multi AZ — Survive disasters 


dE a ElastiCache 
D . 
Auto Scaling group i Multi AZ 


pa 


Availability zone 1 nn 


{us S 


MEM. | => 


peu ! CN 


Cor RDS 
it " Multi AZ 


[Er E 
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Stateful Web App: MyClothes.com 
Security Groups 


Restrict traffic to ElastiCache 


Ree | Security group from the 
: EC2 security group 


| | i ElastiCache 


Y Open HTTP/HTTPS : 


to 0.0.0.0/0 
= > 


Restrict traffic to RDS 
Security group from the 
EC2 security group 
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In this lecture we ve discussed... 


3-tier architectures for web applications 


* ELB sticky sessions 
“ Web clients for storing cookies and making our web app stateless 
e ElastiCache 

* For storing sessions (alternative: DynamoDB) 


* For caching data from RDS 
e Multi AZ 


e RDS 


* For storing user data 
* Read replicas for scaling reads 
e Multi AZ for disaster recovery 


* Tight Security with security groups referencing each other 
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Stateful Web App: MyWordPress.com 


“ We are trying to create a fully scalable WordPress website 
“ We want that website to access and correctly display picture uploads 


* Our user data, and the blog content should be stored in a MySQL database. 


e lets see how we can achieve this! 
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Stateful Web App: MyWordPress.com 
RDS layer 


[UI 


pees eee ee eee 
Availability zone 3 


Di kaa; ah Ka aa Pama oe me a jai a aa adi 


Lee ien E 
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=D 


RDS 


Multi AZ 
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| 


Stateful Web App: MyWordPress.com 
Scaling with Aurora: Multi AZ & Read Replicas 


pa 


Availability zone 1 


o 


Aurora MySQL 
Ve l Multi AZ 
Read Replicas 


Leeder E 
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Stateful Web App: MyWordPress.com 
storing images with EBS 


r------------------- 


Fa 


Availability zo 


v 
Lj 


Volume 


Di i e Saa Ed EE Et SES (e a E pi Et EN E a i Et 


UE 


D 
= 
5 
© 
D 
ei 
sa 
® 
w 
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Stateful Web App: MyWordPress.com 
storing images with EBS 


EE 


ulti | i 

Y i i | 
| | Volume i 

Send image | i EE 

- | | vailability zone 2 i 


Volume 


Ki nk, mm e ni. adi, ad a, i ee a mn d m, Aë A be gënt E a ee nai d 
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Stateful Web App: MyWordPress.com 
Storing images with EFS 


v 
A Send image 
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In this lecture we ve discussed... 


* Aurora Database to have easy Multi-AZ and Read-Replicas 
“ Storing data in EBS (single instance application) 
* Vs Storing data in EFS (distributed application) 
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Instantiating Applications quickly 


* When launching a full stack (EC2, EBS, RDS), it can take time to: 
e Install applications 
e Insert initial (or recovery) data 
* Configure everything 
* Launch the application 


* We can take advantage of the cloud to speed that up! 
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Instantiating Applications quickly 


e EC? Instances: 


e Use a Golden AMI: Install your applications, OS dependencies etc.. beforehand 
and launch your EC2 instance from the Golden AMI 


“ Bootstrap using User Data: For dynamic configuration, use User Data scripts 
* Hybrid: mix Golden AMI and User Data (Elastic Beanstalk) 

e RDS Databases: 
* Restore from a snapshot: the database will have schemas and data ready! 

e EBS Volumes: 


* Restore from a snapshot: the disk will already be formatted and have data! 
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Store / retrieve 

session data 

+ Cached data 
Read / write data 


Amazon RDS 


ElastiCache 
DATA SUBNET 


ICT 


e e e e e e -jee = ai e e e be e re sien e e e e e e e be Mee ze e e e re e — — 


I 
K 


NN -łe 


Auto Scaling group 
Availability zone 2 


Availability zone 1 
ee ey, ar 
Availability zone 3 a S 


S 
m 
x 


PRIVATE SUBNET 


Web App 3-t 


Take aja an 


Route 53 


Multi AZ 


ELB 
PUBLIC SUBNET 


Typical architecture 
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Developer problems on AVVS 


e Managing infrastructure 
* Deploying Code 
e Configuring all the databases, load balancers, etc 


“ Scaling concerns 


“ Most web apps have the same architecture (ALB + ASG) 
* All the developers want is for their code to run! 
* Possibly, consistently across different applications and environments 
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Elastic Beanstalk — Overview (go) 


* Elastic Beanstalk is a developer centric view of deploying an application 
on AWS 


* It uses all the components we've seen before: EC2, ASG, ELB, RDS, ... 


e Managed service 


e Automatically handles capacity provisioning, load balancing, scaling, application 
health monitoring, instance configuration, ... 


e Just the application code is the responsibility of the developer 
* We still have full control over the configuration 
* Beanstalk is free but you pay for the underlying instances 
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Elastic Beanstalk — Components 


“ Application: collection of Elastic Beanstalk components (environments, 
versions, configurations, ...) 


* Application Version: an iteration of your application code 


e Environment 
* Collection of AWS resources running an application version (only one application 
version at a time) 
e Tiers: Web Server Environment Tier & Worker Environment Tier 


“ You can create multiple environments (dey, test, prod, ...) 


update version 


Create Upload Launch Manage 


Application Version Environment Environment 


deploy new version 
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Elastic Beanstalk — Supported Platforms 


* Go * Ruby 

e Java SE e Packer Builder 

* Java with Tomcat “ Single Container Docker 

e NET Core on Linux e Multi-container Docker 

s NET on Windows Server “ Preconfigured Docker 

e Node.js 

« PHP * |f not supported, you can write 


* Python your custom platform (advanced) 
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Security Group 
EC2 Instance 
(Web Server) 


1 
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1 
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Web Environment 
(myapp.us-east-1.elasticbeanstalk.com) 


Security Group 
EC2 Instance 
(Web Server) 


Web Server Tier vs. Worker Tier 
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Elastic Beanstalk Deployment Modes 


Single Instance High Availability with Load Balancer 
Great for dev Great for prod 


Availability Zone 1 


O— Elastic IP 


| Availability) Zone 1 Availability Zone 2 
|| 
I 


= 


| | | | te | i. E 
| EC2 Instance | | EC2 Instance | K | EC2 Instance : : 
GE | | Amazon | | gita | 
| E | | u È B | 
|, RDS Master | | RDS Master | : RDS Standby | 
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Section Introduction 


* Amazon 53 is one of the main building blocks of AWS 
* It's advertised as "infinitely scaling" storage 


“ Many websites use Amazon 53 as a backbone 
e Many AWS services use Amazon 53 as an integration as well 


* We'll have a step-by-step approach to 53 
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Amazon 53 Use cases 


“ Backup and storage 
* Disaster Recovery 


p Nasdaq 


e Archive Nasdaq stores / years of 
, data Into 53 Glacier 

e Hybrid Cloud storage 

“ Application hosting 


e Media hosting Sysco 


* Data lakes & big data analytics 


Sysco runs analytics on 


e Software delivery its data and gain business 
e Static website 


insights 
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Amazon 53 - Buckets 


e Amazon 53 allows people to store objects (files) in “buckets” (directories) 
“ Buckets must have a globally unique name (across all regions all accounts) 
“ Buckets are defined at the region level 

e 53 looks like a global service but buckets are created in a region 


* Naming convention 
* No uppercase, No underscore 
e 3-63 characters long 
* Not an IP 
e Must start with lowercase letter or number 
e Must NOT start with the prefix xn-- S3 Bucket 
e Must NOT end with the suffix -s3alias 
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Amazon 53 - Objects 


* Objects (files) have a Key 


* The key is the FULL path: 
* s3://my-bucket/my_file.bt 
* s3://my-bucket/my_folder | /another_folder/my_file.txt Object 


* The key is composed of prefix + object name 
* s3://my-bucket/my_folder | /another_folder/my_file.tbt ~ 
e There's no concept of "directories" within buckets Ee 


(although the UI will trick you to think otherwise) 


e Just keys with very long names that contain slashes OC"? S3 Bucket 
with Objects 
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Amazon 53 — Objects (cont.) C) 


* Object values are the content of the body: 
e Max. Object Size is 51B (5000GB) 
e If uploading more than 5GB, must use “multi-part upload" 


* Metadata (list of text key / value pairs — system or user metadata) 
* Tags (Unicode key / value pair — up to 10) — useful for security / lifecycle 


* Version ID (if versioning is enabled) 
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Amazon 53 — Security 


“ User-Based 
e IAM Policies — which API calls should be allowed for a specific user from IAM 


e Resource-Based 
* Bucket Policies — bucket wide rules from the 53 console - allows cross account 
* Object Access Control List (ACL) — finer grain (can be disabled) 
“ Bucket Access Control List (ACL) — less common (can be disabled) 


“ Note: an IAM principal can access an 53 object if 
e The user IAM permissions ALLOW OR the resource policy ALLOWS it 
e AND there's no explicit DENY 


* Encryption: encrypt objects in Amazon 53 using encryption keys 
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53 Bucket Policies 


“ JSON based policies 


* Resources: buckets and objects 


"Version": "2012-10-17", 


s Effect: Allow / Deny "Statement": | 
* Actions: Set of API to Allow or Deny { | 
: . "Sid": "PublicRead", 
* Principal: The account or user to apply the "Effect"; "Allow", 
policy to "Principal": "x", 
"Action": | 
"s3:GetObject" 
e Use 53 bucket for policy to: I, 

| "Resource": [ 

* Grant public access to the bucket "arn:aws:s3: : :examplebucket/x" 


* Force objects to be encrypted at upload 


* Grant access to another account (Cross 
Account) 
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Example: Public Access - Use Bucket Policy 


wi S3 Bucket Policy 
x Allows Public Access 


Anonymous www website visitor S3 Bucket 
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Example: User Access to 53 — IAM permissions 


Va 
JAM Policy v 
X 


s A — i 


S3 Bucket 
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Example: EC2 instance access - Use IAM Roles 


ef IAM permissions 
EC2 Instance Role (G3 d p 


EC2 Instance > 


S3 Bucket 
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Advanced: Cross-Account Access — 
Use Bucket Policy 


S3 Bucket Policy 
Allows Cross-Account 


IAM User 
Other AWS account 


S3 Bucket 
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Bucket settings for Block Public Access 


Block all public access 
On 


Block public access to buckets and objects granted through new access control lists (ACLs) 
On 


Block public access to buckets and objects granted through any access control lists (ACLs) 
On 


Block public access to buckets and objects granted through new public bucket or access point policies 
On 


Block public and cross-account access to buckets and objects through any public bucket or access point policies 
On 


* These settings were created to prevent company data leaks 
* If you know your bucket should never be public, leave these on 


e Can be set at the account level 
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Amazon 53 — Static Website Hosting 
Que 


e 53 can host static websites and have them accessible on 
the Internet 


http://demo-bucket.s3-website-us-west-2,amazonaws.com 
http://demo-bucket.s3-website.us-west-2/amazonaws.com 


1S © NOILNSIALSIQ 401 LON 


* The website URL will be (depending on the region) E 
* http://bucket-name.s3-website-aws-region.amazonaws.com — SE 
OR us-west-? m 
e http://bucket-name.s3-website.aws-region.amazonaws.com | t3 = 

| | S3 Bucket = 

* |f you get a 403 Forbidden error, make sure the bucket ` "` (demorbucket) ` ` S 

policy allows public reads! 3 
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Amazon 53 - Versioning 


| | U 

“ You can version your files in Amazon 53 A iu 
e [t is enabled at the bucket level " 
e Same key overwrite will change the "version : |, 2, 3.... ER 


e |t is best practice to version your buckets NG | 
* Protect against unintended deletes (ability to restore a version) e S3 Bucket 
* Easy roll back to previous version 


| Version 1 Version 2 
e Notes: | | 
! Version 3 


e Any file that is not versioned prior to enabling versioning will 
have version "null" 
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e Suspending versioning does not delete the previous versions 
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Amazon 53 — Replication (CRR & SRR) t3 


e Must enable Versioning in source and destination buckets 
* Cross-Region Replication (CRR) 
“ Same-Region Replication (SRR) 


NOILNYIYILSIG 401 LON 


are, 
Lo 
D Go 
1 
CO 
s c 
O 
ax 
= 
© 


on 

* Buckets can be in different AWS accounts $ 
| : DI 

* Copying Is asynchronous 2 
2 asynchronous = 

“ Must give proper IAM permissions to $3 replication S 
d 

| z 

e Use cases: - 
WAT S3 Bucket e 

e CRR - compliance, lower latency access, replication across accounts (us-east-2) 2 

i | | i i £9 

e SRR — log aggregation, live replication between production and test o 
accounts 3 

3 

e 

o 
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Amazon 53 — Replication (Notes) 


* After you enable Replication, only new objects are replicated 


e Optionally, you can replicate existing objects using S3 Batch Replication 
* Replicates existing objects and objects that failed replication 


e For DELETE operations 
* Can replicate delete markers from source to target (optional setting) 
* Deletions with a version ID are not replicated (to avoid malicious deletes) 


* [here is no "chaining" of replication 
e |f bucket | has replication into bucket 2, which has replication into bucket 3 
* Then objects created in bucket | are not replicated to bucket 3 


o5'snijnuin2e3ep"MMM »[oJee|A eueudeis © NOILNAINLSIG 803 LON 


© Stephane Maarek 


53 Storage Classes 


“ Amazon 53 Standard - General Purpose 

“ Amazon 53 Standard-Infrequent Access (IA) 
* Amazon 53 One Zone-Infrequent Access 

“ Amazon 53 Glacier Instant Retrieval 

“ Amazon 53 Glacier Flexible Retrieval 

“ Amazon 53 Glacier Deep Archive 

e Amazon 53 Intelligent Tiering 


* Can move between classes manually or using 53 Lifecycle configurations 
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53 Durability and Availability 


* Durability: 
* High durability (99.999999999%, | | 9's) of objects across multiple AZ 


* If you store 10,000,000 objects with Amazon 53, you can on average expect to 
incur a loss of a single object once every 10,000 years 


e Same for all storage classes 


* Availability: 
* Measures how readily available a service is 
* Varies depending on storage class 
* Example: 53 standard has 99.99% availability = not available 53 minutes a year 


u105'sn(nuun9e1ep'MAWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


53 Standard — General Purpose 


e 29.9976 Availability 

* Used for frequently accessed data 
* | ow latency and high throughput 

“ Sustain 2 concurrent facility failures 


* Use Cases: Big Data analytics, mobile & gaming applications, content 
distribution... 
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53 Storage Classes — Infrequent Access 


* For data that is less frequently accessed, but requires rapid access when needed 
* Lower cost than 53 Standard 


e Amazon 53 Standard-Infrequent Access (S3 Standard-lA) 
° 99.9% Availability 
* Use cases: Disaster Recovery, backups 


(A) 


e Amazon 53 One Zone-Infrequent Access (53 One Zone-lA) 
e High durability (99.999999999%) in a single AZ; data lost when AZ is destroyed 
e 99.5% Availability 
* Use Cases: Storing secondary backup copies of on-premises data, or data you can recreate 
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Amazon 53 Glacier Storage Classes 


“ Low-cost object storage meant for archiving / backup 
* Pricing: price for storage + object retrieval cost 


e Amazon 53 Glacier Instant Retrieval 
e Millisecond retrieval, great for data accessed once a quarter 
e Minimum storage duration of 90 days 


“ Amazon 53 Glacier Flexible Retrieval (formerly Amazon $3 Glacier): 
* Expedited (| to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours) — free 
e Minimum storage duration of 90 days 


“ Amazon 53 Glacier Deep Archive — for long term storage: 
e Standard (12 hours), Bulk (48 hours) 
e Minimum storage duration of 180 days 
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53 Intelligent-Tiering 


CA 


“ Small monthly monitoring and auto-tiering fee 
“ Moves objects automatically between Access Tiers based on usage 
e There are no retrieval charges in 53 Intelligent-Tiering 


* Frequent Access tier (automatic): default tier 

° Infrequent Access tier (automatic): objects not accessed for 30 days 

* Archive Instant Access tier (automatic): objects not accessed for 90 days 
* Archive Access tier (optional): configurable from 90 days to /00+ days 

* Deep Archive Access tier (optional): config. from 180 days to /00+ days 
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53 Storage Classes Comparison 


i - lacier | lacier Flexibl lacier D 
Standard intelligent standard-lA One Zone-IA G SECH nstant G SE exible G SR eep 
Tiering Retrieval Retrieval Archive 


Durability 99.999999999% == (11 9’s) 
Availability 99199% 99.9% 99.9% 0957 EE 99199% 99199% 
Availability SLA 99.9% 99% 99% 99% 99% 99.9% 99.9% 
evel telly) = >23 >= 1 Dd >=3 RENE 
Zones 
Min. Storage 

None None 30 Days 30 Days 90 Days 90 Days 180 Days 


Duration Charge 


Min. Billable 


: i None None 128 KB 128 KB 128 KB 40 KB 40 KB 
Object Size 
Retrieval Fee None None Per GB retrieved Per GB retrieved Per GB retrieved Per GB retrieved Per GB retrieved 
https://aws.amazon.com/s3/storage-classes 
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53 Storage Classes — Price Comparison 
Example: us-east- | 


d oF lacier | lacier Flexibl lacier D 
Standard Intelligent-Tiering | Standard IA | One Zone-IA s Sek erani S SE ibe G Sek SO 
Retrieval Retrieval Archive 


Storage Cost 


$0.023 $0.0025 - $0.023 $0.0125 $0.01 $0.004 $0.0036 $0.00099 
(per GB per month) 
See Ueu GET: $0.0004 
POST: $0.03 POST ONE 
Retrieval Cost GET: $0.0004 GET: $0.0004 GET: $0.001 GET: $0.001 GET: $0.01 SE 
(per 1000 reguest) POST: $0.005 POST: $0.005 POST: $0.01 POST: $0.01 POST: $0.02 Expedited: $10 Standard: $0.10 
Standard: $0.05 


Bulk: free Bulk: $0.025 


Expedited (1 — 5 mins) 
Retrieval Time Instantaneous Standard (3 — 5 hours) 
Bulk (5 — 12 hours) 


Standard (12 hours) 
Bulk (48 hours) 


Monitoring Cost 


(pet 1000 objects) $0.0025 


httos://aws.amazon.com/s3/pricin 
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Amazon 53 — Moving between Storage Classes 


* You can transition objects between 
storage classes 


* For infrequently accessed object, 
move them to Standard IA 


* For archive objects that you dont 
need fast access to, move them to 
Glacier or Glacier Deep Archive 


* Moving objects can be automated 
using a Lifecycle Rules 
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Amazon 53 — Lifecycle Rules | ei 


* Transition Actions — configure objects to transition to another storage class 
* Move objects to Standard IA class 60 days after creation 
* Move to Glacier for archiving after 6 months 


“ Expiration actions — configure objects to expire (delete) after some time 
* Access log files can be set to delete after a 365 days 
* Can be used to delete old versions of files (if versioning is enabled) 
* Can be used to delete incomplete Multi-Part uploads 


e Rules can be created for a certain prefix (example: s3://mybucket/mp3/*) 
* Rules can be created for certain objects Tags (example: Department: Finance) 
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Amazon 53 — Lifecycle Rules (Scenario |) 


“ Your application on EC2 creates images thumbnails after profile photos 
are uploaded to Amazon 53. These thumbnails can be easily recreated, 
and only need to be kept for 60 days. The source images should be able 
to be immediately retrieved for these 60 days, and afterwards, the user 
can wait up to 6 hours. How would you design this? 


e 53 source images can be on Standard, with a lifecycle configuration to 
transition them to Glacier after 60 days 


e 53 thumbnails can be on One-Zone IA, with a lifecycle configuration to 
expire them (delete them) after 60 days 
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Amazon 53 — Lifecycle Rules (Scenario 2) 


* A rule in your company states that you should be able to recover your 
deleted S3 objects immediately for 30 days, although this may happen 
rarely. After this time, and for up to 365 days, deleted objects should be 
recoverable within 48 hours. 


e Enable S3 Versioning in order to have object versions, so that "deleted 
objects are in fact hidden by a "delete marker" and can be recovered 


* Transition the "noncurrent versions" of the object to Standard IA 
* Transition afterwards the "noncurrent versions" to Glacier Deep Archive 
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Amazon 53 Analytics — Storage Class Analysis 


* Help you decide when to transition objects to t3 —m 
the right storage class 


e Recommendations for Standard and Standard IA 
* Does NOT work for One-Zone IA or Glacier 


* Report is updated daily 


e 24 to 48 hours to start seeing data analysis 


.CSV report 


* Good first step to put together Lifecycle Rules | Date | Storagectass | Objectage | 
(or improve them)! 8/22/2022 STANDARD 000-014 
8/25/2022 STANDARD 030-044 


9/6/2022 STANDARD 120-149 
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53 — Requester Pays 


Standard Bucket 


In general, bucket owners pay for all Owner Owner Requester 
Amazon 53 storage and data transfer $$ Storage Cost | | $$ Networking Cost 
costs associated with their bucket 


download O D Q 
e With Requester Pays buckets, the Eo ox 


requester instead of the bucket owner 
pays the cost of the request and the 
data download from the bucket 


Requester Pays Bucket 


* Helpful when you want to share large el Requester 
SS Storage Cost SS Networking Cost 


datasets with other accounts 


hs 
* The requester must be authenticated Eo SRE, ses 


in AWS (cannot be anonymous) 
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S3 Event Notifications 


e 53:ObjectCreated, S3:ObjectRemoved, 
S3:ObjectRestore, S3:Replication... 


e Object name filtering possible (*.jpg) 


* Use case: generate thumbnails of images 
uploaded to 53 


* Can create as many “53 events" as desired 


events 


Amazon S3 


e 53 event notifications typically deliver events 
in seconds but can sometimes take a minute 


or longer 
Lambda Function 
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S3 Event Notifications — [AM Permissions 


{ 
"Version": "2012-10-17", 
"Statement": { v 
"Effect": "Allow", x 
"Action": "SNS:Publish", 
"Principal": 4 
"Service": ''s3.amazonaws.com" 
}, 
"Resource": "arn:aws:sns:us—east—1: 123456789012 :MyTopic", 
"Condition": { 
"ArnLike": { { 
"aws:SourceArn": "arn:aws:s3:::MyBucket" "Version": "2012-10-17", 
} "Statement": { 
} 2 "Effect": "Allow", 
+ SNS Resource (Access) Policy "Action": "SQS:SendMessage", 
"Principal": { 
"Service": "s3,.amazonaws. com" 
i, 
"Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue", 
"Condition": 4 
"ArnLike": { 
"aws:SourceArn": "arn:aws:s3:: :MyBucket" 


{ 


Amazon S3 ar < | 
a. Kee ies X SQS Resource (Access) Policy 


"Principal": 4 
"Service": "s3.amazonaws. com" 
}, 
RAS RS ER RSR AS SES] "Resource": “arn:aws:lambda:us-east-1:123456789012: 
function:MyFunction", 
"Condition": 4 
"ArnLike": 4 


: "AWS:SourceArn": "arn:aws:s3: : :MyBucket" 
Lambda Function y i 
Lambda Resource Policy 
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53 Event Notifications 
with Amazon EventBridge 


BEC All events rules |, Over 18 
AWS services 


as destinations 


Amazon S3 Amazon 
bucket EventBridge 


* Advanced filtering options with JSON rules (metadata, object size, name...) 
e Multiple Destinations — ex Step Functions, Kinesis Streams / Firehose... 


* EventBridge Capabilities — Archive, Replay Events, Reliable delivery 


(9 Stephane Maarek 


o»'snijnuin2e3ep"WMM Yleen eueudeis © NOILRSIHISIG 803 LON 


53 — Baseline Performance 


“ Amazon 53 automatically scales to high request rates, latency 100-200 ms 


“ Your application can achieve at least 3,500 PUT/COPY/POST/DELETE or 
5,900 GET/HEAD requests per second per prefix in a bucket. 


* There are no limits to the number of prefixes in a bucket. 


e Example (object path => prefix): 


e bucket/folder|/sub |/file => /folder|/sub|/ 
e bucket/folder|/sub2/fille => /folder|/sub2/ 
e bucket/|/file => /|/ 
e bucket/2/file => /2/ 


* If you spread reads across all four prefixes evenly, you can achieve 22,000 
requests per second for GET and HEAD 


© Stephane Maarek 
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53 Performance 


e Multi-Part upload: e 53 Transfer Acceleration 
e recommended for files > |QOMB, * Increase transfer speed by transferring 
must use for files > 5GB file to an AWS edge location which will 
* Can help parallelize uploads (speed forward the data to the 53 bucket in the 
up transfers) target region 
* Compatible with multi-part upload 
Divide Parallel uploads 
li parts 


he Fast R Fast 
| (public www) (private AWS) 


File in USA Edge Location S3 Bucket 
Amazon S3 USA Australia 


BIG file 
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53 Performance — 53 Byte-Range Fetches 


e Parallelize GETs by requesting specific 
byte ranges 


e Better resilience in case of failures 


Can be used to retrieve only partial 
Can be used to speed up downloads data (for example the head of a file) 


File in $3 File in S3 


| || ] | | | | Byte-range reguest for header 
|| || || | (first XX bytes) 


Requests in parallel 
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53 Select & Glacier Select 


* Retrieve less data using SQL by performing server-side filtering 
* Can filter by rows & columns (simple SQL statements) 


* | ess network transfer less CPU cost client-side 


CSV file | 


poco oe ee eee ee ee ee ee 


Get CSV with S3 Select 
Amazong3 --” °° °° °° °° — US < L 
Z > 
Send filtered dataset (Ce) 
LES Select 
After: ES Ge EE SC ; I M Amazon S3 
Amazon S3 Up Moro i 


Server-side filtering 
https://aws.amazon.com/blogs/aws/s3-glacier-select 
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Batch Operations 


* Perform bulk operations on existing 53 objects with a 
single request, example: 


Modify object metadata & properties 
Copy objects between 53 buckets 
Encrypt un-encrypted objects 
Modify ACLs, tags 

Restore objects from S3 Glacier 


Invoke Lambda function to perform custom action on 
each object 


* A job consists of a list of objects, the action to 
perform, and optional parameters 


e 53 Batch Operations manages retries, tracks progress, 
sends completion notifications, generate reports ... 


“ You can use 53 Inventory to get object list and use 53 
Select to filter your objects 
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operation 
+ 


S3 Inventory 


Objects List Report 


S3 Select , 
filter 
filtered list 


S3 Batch 


A parameters 


User 


Operations 


ee zs zm zm re zm e e e e e e a 
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Amazon 53 — Object Encryption 


cM 


* You can encrypt objects in 53 buckets using one of 4 methods 


“ Server-Side Encryption (SSE) 
e Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) — Enabled by Default 
e Encrypts 53 objects using keys handled, managed, and owned by AWS 
e Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS) 
* Leverage AWS Key Management Service (AWS KMS) to manage encryption keys 
* Server-Side Encryption with Customer-Provided Keys (SSE-C) 


* When you want to manage your own encryption keys 


* Client-Side Encryption 


e [ts important to understand which ones are for which situation for the exam 
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Amazon 53 Encryption — SSE-S3 


e Encryption using keys handled, managed, and owned by AWS 
* Object is encrypted server-side 

* Encryption type is AES-256 

e Must set header "x-amz-server-side-encryption": "AES256" 

* Enabled by default for new buckets & new objects 


He 
upload 
= jamie NN + 


User 
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Amazon 53 Encryption — SSE-KMS 


* Encryption using keys handled and managed by AWS KMS (Key Management Service) 
e KMS advantages: user control + audit key usage using Cloud Trail 
* Object is encrypted server side 


e Must set header "x-amz-server-side-encryption": "aws:kms" 


A upload | 9 
Å al 
HTTP(S) * Header : + 


User | 
| CN S3 Bucket 
| KMS Key 


AWS KMS 
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SSE-KMS Limitation 


e If you use SSE-KMS, you may be impacted 53 Bucket KMS Key 
Dy the KMS limits API call 
e When you upload, it calls the 9 


GenerateDataKey KMS API 

“ When you download, It calls the Decrypt dep gownioac 
KMS API 

e Count towards the KMS quota per second ses 
(5500, 1 0000, 30000 req/s based on region) 


* You can request a quota increase using the 
Service Quotas Console 
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Amazon 53 Encryption — SSE-C 


e Server-Side Encryption using keys fully managed by the customer outside of AWS 
“ Amazon 53 does NOT store the encryption key you provide 

e HTTPS must be used 

* Encryption key must provided in HTTP headers, for every HTTP request made 


+ | 
A upload | OG e 
P dl L 
SON | * 


User | 
* Key in Header | ex S3 Bucket 


Client-Provided Key 
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Amazon 53 Encryption — Client-Side Encryption 


* Use client libraries such as Amazon 53 Client-Side Encryption Library 

e Clients must encrypt data themselves before sending to Amazon 53 

e Clients must decrypt data themselves when retrieving from Amazon 53 
* Customer fully manages the keys and encryption cycle 


File 
is HTTP(S) 
ge Fi | 
! S3 Bucket 


(encrypted) 
Client Key 


— um — —, upload 
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Amazon 53 — Encryption in transit (SSL/TLS) 


* Encryption in flight is also called SSL/TLS 


“ Amazon 53 exposes two endpoints: 
* HTTP Endpoint — non encrypted 
e HTTPS Endpoint — encryption in flight 

e HTTPS is recommended 


* HTTPS is mandatory for SSE-C 
“ Most clients would use the HTTPS endpoint by default 
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Amazon 53 — Force Encryption in Transit 


aws:secure Transport 


RE Account B 


S3 Bucket 
(my-bucket) 


v 
Bucket Policy 
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"Version": "2012-10-17", 
"Statement": [ 


1 


"Effect": "Deny", 
"Principal": "x", 
"Action": "s3:GetObject", 
"Resource": "arn:aws:s3: : :my-bucket/*", 
"Condition": 4 


"Bool": 4 


"aws:SecureTransport": "false" 
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Amazon 53 — Default Encryption vs. Bucket Policies 


e SSE-S3 encryption is automatically applied to new objects stored in 53 bucket 


. PATE a u can ‘force encryption" using a bucket BE and refuse any API call 
to PUT an 53 object without encryption headers (SSE-KMS or SSE-C) 


{ { 
"Version": "2012-10-17", "Version": "2012-10-17", 
"Statement": [ "Statement": [ 
1 1 
"Effect": "Deny", "Effect": "Deny", 
"Action": "s3:PutObject", "Action": "s3:PutObject", 
"Principal": "x", "Principal": "x", 
"Resource": "arn:aws:s3: : :my-bucket/x", "Resource": “"arn:aws:s3:::my-bucket/x", 
"Condition": 4 "Condition": 4 
"StringNotEquals": 4 "Null": 4 
"s3:x-amz-server-side-encryption": "aws:kms" "s3:x-amz-server-side-encryption-customer-algorithm": "true" 
} } 
} H 
} } 
] ] 
} } 


e Note: Bucket Policies are evaluated before “Default Encryption” 
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What is CORS? 


* Cross-Origin Resource Sharing (CORS) 


* Origin = scheme (protocol) + host (domain) + port 
* example: https://www.example.com (implied port is 443 for HTTPS, 80 for HTTP) 


* Web Browser based mechanism to allow requests to other origins while 
visiting the main origin 
e Same origin: http://example.com/app | & http://example.com/app2 


* Different origins: http://www.example.com & http://otherexample.com 


* [he requests wont be fulfilled unless the other origin allows for the 
requests, using CORS Headers (example: Access-Control-Allow-Origin) 
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What is CORS? 


mo re ahaaa ee ee ee ee eee eee 
1 
1 
1 


OPTIONS / | 
| Host: www.other.com | 
' Origin: https://www.example.com ` 


Preflight Request 


Access-Control-Allow-Origin: https://www.example.com | 
Access-Control-Allow-Methods: GET, PUT, DELETE 
HTTPS Request [ ] GEES 


© =) Preflight Response 
Web Browser 
Web Server EE Web Server 
(Origin) ! GET / | (Cross-Origin) 
https://www.example.com ı Host: www.other.com | https://www.other.com 


Origin: https://www.example.com 


a Se EE: E SSG Sk E E AE EE Joni ai; Tai. Jata, <i> Ni, Set rel 


CORS Headers received already by the Origin 
The Web Browser can make requests 
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Amazon 53 — CORS 


e If a client makes a cross-origin request on our 53 bucket, we need to enable 
the correct CORS headers 


e It's a popular exam question 
“ You can allow for a specific origin or for * (all origins) 


ı GET /index.html l 


| Host: http://my-bucket-html.s3-website.us-west-2.amazonaws.com | S3 Bucket 
t3 (my-bucket-html) 
ON (Static Website Enabled) 
[ ] index.html 
Ld 
C=) | GET /images/coffee.jpg | 
Web Browser ' Host: http://my-bucket-assets.s3-website.us-west-2.amazonaws.com | 
| Origin: http://my-bucket-html.s3-website.us-west-2.amazonaws.com | S3 Bucket 
t3 (my-bucket-assets) 
ap eaaa M ui GM MK MM MM ML MM qd C LEM (Static Website Enabled) 
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Amazon 53 — MFA Delete 


e MFA (Multi-Factor Authentication) — force users to generate a code on a 
device (usually a mobile phone or hardware) before doing important 
operations on $3 


e MFA will be required to: © 


e Permanently delete an object version Google Authenticator 
e Suspend Versioning on the bucket 


e MFA won't be required to: 
* Enable Versioning 


* List deleted versions MFA Hardware Device 


* [o use MFA Delete, Versioning must be enabled on the bucket 


“ Only the bucket owner (root account) can enable/disable MFA Delete 
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53 Access Logs A 


* For audit purpose, you may want to log all access to 53 buckets j 
requests 


e Any request made to 53, from any account, authorized or denied, 
will be logged into another 53 bucket 


* [hat data can be analyzed using data analysis tools... 


* [he target logging bucket must be in the same AWS region 


My-bucket 
Log all 
requests 
* [he log format is at: 
https://docs.aws.amazon.com/AmazonS 3/latest/dev/LogFormat.html 
Logging Bucket 
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53 Access Logs: Warning 


“ Do not set your logging bucket to be the monitored bucket 
e It will create a logging loop, and your bucket will grow exponentially 


Logging loop 


eee 


App Bucket & 
Logging Bucket 


Do not try this at home © 
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Amazon 53 — Pre-Signed URLs 


pa 


User 
© Stephane Maarek 


2 
O 
= 
: 

e 
a^ | 
* Generate pre-signed URLs using the $3 Console, AWS CLI or SDK Gate = 
| : D c 
* URL Expiration a = 
“ 53 Console — | min up to 720 mins (12 hours) Gy 13 S 2 
e AWS CLI — configure expiration with --expires-in parameter in seconds URL cr © 
(default 3600 secs, max. 604800 secs ~ 168 hours) z= À 
* Users given a pre-signed URL inherit the permissions of the user Q s 
that generated the URL for GET / PUT b t3 z 

URL 

< 
S3 Bucket © 
° Examples: (Private) © 
* Allow only logged-in users to download a premium video from your 53 £ 
bucket : 
* Allow an ever-changing list of users to download files by generating URLs | [SES n 
dynamically URL |È 
* Allow temporarily a user to upload a file to a precise location in your 53 o 
bucket A 3 
= 
7 
8 


w 


53 Glacier Vault Lock 


* Adopt a WORM (Write Once Read 
Many) model 


* Create a Vault Lock Policy 


* | ock the policy for future edits 
(can no longer be changed or deleted) 


* Helpful for compliance and data 
retention 
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J 


ep o 


Object 


Vault Lock Policy 
Object can't be deleted 


o5'snjnuin2ejep"MMM »[oJee|A eueudeis © NOILNAINLSIG 803 LON 


53 Object Lock (versioning must be enabled) 


e Adopt a WORM (Write Once Read Many) model 
“ Block an object version deletion for a specified amount of time 


* Retention mode - Compliance: 
* Object versions can't be overwritten or deleted by any user including the root user 
* Objects retention modes can't be changed, and retention periods can't be shortened 


* Retention mode - Governance: 
“ Most users can't overwrite or delete an object version or alter its lock settings 
e Some users have special permissions to change the retention or delete the object 


* Retention Period: protect the object for a fixed period, it can be extended 
* Legal Hold: 


* protect the object indefinitely, independent from retention period 
e can be freely placed and removed using the s3:PutObjectLegalHold IAM permission 
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53 — Access Points D 


Policy = 
Grant R/Wto |v | e sch 
ffi f ^ P | 
Users es. inance prefix - (n4 Finance iS S3 Bucket Xi 
(Finance) j^ Access Point SimpleiBucket 


Policy = 
Grant R/W to 


i | Policy 
Users QQ /sales prefix A Sales | m /finance/... : 
a" Es 


(Sales) j^ Access Point | 
Polio — > E /sales/... | 
Grant R to 1 | 

A ! | 

Users 2 104 | 


Q entire bucket 
< 
(Analytics) H i^ Access Point 


Analytics 


(y ia; jam, ang, ji. Na 


* Access Points simplify security management for 53 Buckets 


* Each Access Point has: 
* its own DNS name (Internet Origin or VPC Origin) 
* an access point policy (similar to bucket policy) — manage security at scale 
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53 — Access Points — VPC Origin 


“ We can define the access — 
point to be accessible EC2 Instance VPC Endpoint VPC Origin 


only from within the VPC ir ©) > Bi — [3 


e You must create a VPC 
Endpoint to access the pay e i 
Access Point (Gateway 
or Interface Endpoint) 


* [he VPC Endpoint Policy purse 


S3 Bucket 


{ 


must allow access to the éd 
target bucket and Access gina 
Po INT EEN 


“arn:aws:s3:us-west-2:123456789912:accesspoint/example-vpc-ap/object/x" 
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53 Object Lambda 


* Use AWS Lambda Functions to 
change the object before It is 
retrieved by the caller application 


* Only one 53 bucket is needed, on 
top of which we create S3 Access 
ECT and S3 Object Lambda Access 

oints. 


* Use Cases: 

* Redacting personally identifiable 
information for analytics or non- 
production environments. 

* Converting across data formats, such 
as converting XML to JSON. 

e Resizing and watermarking images on 
the fly using caller-specific details, such 


as the user who requested the object. 
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AWS Cloud 
ieinal 
LL ze 
=> jec 
E-Commerce 
Application 
S3 Object Lambda Redacting 
Access Point Lambda Function 
TT Redacted A 
Object H 
==> J T 
Analytics 
Application S3 Object Lambda Enriching 
Access Point Lambda Function 
TT Enriched © > 4 EM 
— SES i 
Marketing 
Application 


A 


> E S3 Bucket 


(65) Supporting 
l S3 Access Point 


Customer Loyalty 
Database 
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Global Infrastructure 


x 
9 
ken 
o 
© 
= 
o 
= 
c 
E 
a 
D 
EEN 
Ka 
©) 


Amazon CloudFront 


* Content Delivery Network (CDN) 


* Improves read performance, content 
Is cached at the edge 


“ Improves users experience 


* 216 Point of Presence globally (edge 
locations) 


e DDoS protection (because 
worldwide), integration with Shield, 
AWS Web Application Firewall 
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Source: 


h 


t 


tos://aws.amazon.com/cloudfront/features/?nc=sn&loc=2 
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CloudFront — Origins 


e 53 bucket 
* For distributing files and caching them at the edge 
* Enhanced security with CloudFront Origin Access Control (OAC) 
e OAC is replacing Origin Access Identity (OAI) 
e CloudFront can be used as an ingress (to upload files to 53) 


e Custom Origin (HTTP) 
e Application Load Balancer 
* EC2 instance 
e 53 website (must first enable the bucket as a static 55 website) 
e Any HTTP backend you want 
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CloudFront at a high level 


GET /beach.jpg?size=300x300 HTTP/1.1 
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 
Host: www.example.com 


Accept-Encoding: gzip, deflate 


Forward Request 


L TH to your Origin 


L => 
Client CloudFront Edge Location 
CACHE 


Local Cache 
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CloudFront — 55 as an Origin 


Private AWS 
Private AWS 


Los Angeles Mumbai 


Private AWS 


Private AWS 


Origin (S3 bucket) 


AQ OAC 
Edge Edge 


Sao Paulo Melbourne 


Origin Access Control 
+ S3 bucket policy 
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CloudFront vs 53 Cross Region Replication 


e CloudFront: 
e Global Edge network 
* Files are cached fora I TL (maybe a day) 
* Great for static content that must be available everywhere 


e 53 Cross Region Replication: 
“ Must be setup for each region you want replication to happen 
* Files are updated in near real-time 
* Read only 


* Great for dynamic content that needs to be available at low-latency in few 
regions 
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CloudFront — ALB or EC2 as an origin 


Security group 


2 Q Allow Public IP of Edge Locations 
«— ———» « 
http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips 
Edge Location EC2 Instances 
Must be Public 


Security group 


de 


Security group 


Allow Public IP of 
Edge Locations 


Allow Security Group 
of Load Balancer 


ch 


EC2 Instances 


Edge Location Application Load Balancer 
Can be Private 


Public IPs Must be Public 
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CloudFront Geo Restriction 


“ You can restrict who can access your distribution 


* Allowlist: Allow your users to access your content only if they're in one of the 
countries on a list of approved countries. 


“ Blocklist: Prevent your users from accessing your content If they're in one of the 
countries on a list of banned countries. 


e The “country” is determined using a 3" party Geo-IP database 


“ Use case: Copyright Laws to control access to content 
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CloudFront - Pricing 


e CloudFront Edge locations are all around the world 


* The cost of data out per edge location varies 


Hong Kong, 
United States, South Africa, ` Philippines, 
. ` Australia & New ) . 
Per Month Mexico, & Europe & Israel Kenya, & South America Japan Zealand Singapore, South India 
Canada Middle East Korea, Taiwan, & 
Thailand 

First 10TB $0.085 $0.085 $0.110 $0.110 $0.114 $0.114 $0.140 $0.170 
Next 40TB $0.080 $0.080 $0.105 $0.105 $0.089 $0.098 $0.135 $0.130 
Next 100TB $0.060 $0.060 $0.090 $0.090 $0.086 $0.094 $0.120 $0.110 
Next 350TB $0.040 $0.040 $0.080 $0.080 $0.084 $0.092 $0.100 $0.100 
Next 524TB $0.030 $0.030 $0.060 $0.060 $0.080 $0.090 $0.080 $0.100 
Next 4PB $0.025 $0.025 $0.050 $0.050 $0.070 $0.085 $0.070 $0.100 
Over 5PB $0.020 $0.020 $0.040 $0.040 $0.060 $0.080 $0.060 $0.100 


lower higher 
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CloudFront — Price Classes 


* You can reduce the number of edge locations for cost reduction 


* Three price classes: 
|. Price Class All: all regions — best performance 
2. Price Class 200: most regions, but excludes the most expensive regions 
3. Price Class 100: only the least expensive regions 


Hong Kong, 
United States South Africa Philippines 
Edge Locations Included . | : : Australia & New ` . icon : 
DJ Mexico, & Europe & Israel Kenya, & South America Japan Singapore, South India 
Within . Zealand Jj 
Canada Middle East Korea, Taiwan, & 
Thailand 
Price Class All Yes Yes Yes Yes Yes Yes Yes Yes 
Price Class 200 Yes Yes Yes x Yes x Yes Yes 
Price Class 100 Yes Yes x x x x x x 
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CloudFront - Price Clas 


2 
9 
Ó 
A 
z 
s 
Prices Class 100 D a" BN = 
Prices Class 200 BW NG e N RECH = 
Prices Class All Wi E / A ire © 
IT + | e? N s # E 
"7 VA | Ces BEEN. g 
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CloudFront — Cache Invalidations 


* In case you update the back-end nance 
2 GET /index.html - [index.html 
origin, CloudFront doesn't know - Jimages/* 


about it and will only get the 
refreshed content after the TTL has 


CloudFront 


expired 
e However you can force an entire or 
partial cache refresh (thus bypassing ER ER 
the [ TL) by performing a CloudFront Edge Location Edge Location 
Invalidation ME BE LG dude | 
* You can invalidate all files (*) or a 3 ME | 
special path (/images/*) pe M NET IE 
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update files 
A B ao, S3 Bucket 
(origin) 
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Global users for our application 


“ You have deployed an 
application and have global 
users who want to access it 
directly. 


* They go over the public 
internet, which can add a lot of 
latency due to many hops 


“ We wish to go as fast as LJ PLE} Ete 


possible through AWS network Australia 
to minimize latency 


© Stephane Maarek 


Europe 


Public ALB 


India 
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Unicast IP vs Anycast IP 
RS 


e Unicast IP: one server holds one IP — 


address P i cw 
12.34.56.78 98.76.54.32 
* Anycast IP: all servers hold the same [ 1] Client 
= 


IP address and the client is routed to 
the nearest one 


d 
F F 


12.34.56.78 12.34.56.78 
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AWS Global Accelerator D 


e Leverage the AWS internal 
network to route to your 


application = LJ 
e 2 Anycast IP are created for your America Foge location: Europe 
application 


e The Anycast IP send traffic directly 


to Edge Locations 
d LJ Le] Private AWS —" 


* The Edge locations send the traffic 
to your application 


Australia India 
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AWS Global Accelerator 


* Works with Elastic IP EC2 instances, ALB, NLB, public or private 


* Consistent Performance 
e Intelligent routing to lowest latency and fast regional failover 
* No issue with client cache (because the IP doesn't change) 
e Internal AWS network 


* Health Checks 
* Global Accelerator performs a health check of your applications 
* Helps make your application global (failover less than | minute for unhealthy) 
* Great for disaster recovery (thanks to the health checks) 


e Security 
* only 2 external IP need to be whitelisted 
* DDoS protection thanks to AWS Shield 
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AWS Global Accelerator vs CloudFront 


* They both use the AWS global network and its edge locations around the world 
“ Both services integrate with AWS Shield for DDoS protection. 


* CloudFront 
* Improves performance for both cacheable content (such as images and videos) 
* Dynamic content (such as API acceleration and dynamic site delivery) 
* Content is served at the edge 


* Global Accelerator 

* Improves performance for a wide range of applications over TCP or UDP 

* Proxying packets at the edge to applications running in one or more AWS Regions. 
Good fit for non-HT TP use cases, such as gaming (UDP), lol (MOT T), or Voice over IP 
Good for HT TP use cases that require static IP addresses 
Good for HTTP use cases that required deterministic, fast regional failover 
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Advanced Storage on AWS 


EE 
o 
= 
© 
© 
= 
VU 
i= 
© 
de 
fo 
OU 
42 
LO 
o 


AWS Snow Family 


* Highly-secure, portable devices to collect and process data at the edge, 
and migrate data into and out of AWS 


ES 


* Data migration: 


Snowcone Snowball Edge Snowmobile 


* Edge computing: 


a 


Snowcone Snowball Edge 
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Data Migrations with AWS Snow Family 


Challenges: 


* Limited connectivity 
BENE * Limited bandwidth 
+ High network cost 
+ Shared bandwidth (can't 
maximize the line) 


e Connection stability 
AWS Snow Family: offline devices to perform data migrations 
If it takes more than a week to transfer over the network, use Snowball devices! 
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Diagrams 


e Direct upload to 53: 


CD www: 10Gbit/s E 


L ei 
client Amazon S3 
bucket 


e With Snow Family: 


= ship 3 - 
- B= 5 
c=) 
client AWS AWS import/ Amazon S3 
Snowball Snowball export bucket 


u105'sn(nuunoe1ep'MMWWM Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


snowball Edge (for data transfers) 


* Physical data transport solution: move TBs or PBs of data in or out 
of AWS 


. ec ee to moving data over the network (and paying network 
ees 


* Pay per data transfer Job 
e Provide block storage and Amazon S3-compatible object storage 


“ Snowball Edge Storage Optimized 


e 80 TB of HDD capacity for block volume and 53 compatible object 
storage 


“ Snowball Edge Compute Optimized 


e 42 TB of HDD or 281B NVMe capacity for block volume and 53 
compatible object storage 


“ Use cases: large data cloud migrations, DC decommission, disaster 
recovery 
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AWS Snowcone & Snowcone SSD 


“ Small, portable computing, anywhere, rugged & secure, 
withstands harsh environments 


e Light (4.5 pounds, 2. | kg) 


* Device used for edge computing, storage, and data 
transfer 


“ Snowcone — 8 TB of HDD Storage 
e Snowcone SSD — I4 TB of SSD Storage 


e Use Snowcone where Snowball does not fit (space- 
constrained environment) 


“ Must provide your own battery / cables 


e Can be sent back to AWS offline, or connect it to 
internet and use AWS DataSync to send data 
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AWS Snowmobile 


amazor 
webservic 


* Transfer exabytes of data (1 EB = 1,000 PB = 1,000,000 TBs) 

e Each Snowmobile has 100 PB of capacity (use multiple in parallel) 
* High security: temperature controlled, GPS, 24/7 video surveillance 
* Better than Snowball if you transfer more than 10 PB 


Wwoo’snjnuinseyep MMM 
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AWS Snow Family for Data Migrations 


Snowcone Snowball Edge Snowmobile 


Snowcone & Snowball Edge Snowmobile 
Snowcone SSD Storage Optimized 
EET 8 TB HDD 80 TB usable « 100 PB 
ar copain 4 TB SSD 
Viande Up to 24 TB, online and Up to petabytes, Up to exabytes, offline 
offline offline 
DataSync agent Pre-installed 
Storage Clustering Up to 15 nodes 
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Snow Family — Usage Process 


|. Request Snowball devices from the AWS console for delivery 
2. Install the snowball client / AWS OpsHub on your servers 
3. Connect the snowball to your servers and copy files using the client 


4. Ship back the device when youre done (goes to the right AWS 
facility) 


5. Data will be loaded into an $3 bucket 


6. Snowball is completely wiped 
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What is Edge Computing? 


“ Process data while its being created on an edge location 
e A truck on the road, a ship on the sea, a mining station underground... 


* These locations may have 
* [imited / no internet access 
* Limited / no easy access to computing power 


* We setup a Snowball Edge / Snowcone device to do edge computing 


* Use cases of Edge Computing: 
* Preprocess data 
* Machine learning at the edge 
* Transcoding media streams 


* Eventually (if need be) we can ship back the device to AWS (for transferring data for example) 
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Snow Family — Edge Computing 


e Snowcone & Snowcone SSD (smaller) 
e 2 CPUs, 4 GB of memory, wired or wireless access 
* USB-C power using a cord or the optional battery 


“ Snowball Edge — Compute Optimized 
* |04 vCPUs, 416 GiB of RAM 
e Optional GPU (useful for video processing or machine learning) 


e 28 TB NVMe or 42TB HDD usable storage 
e Snowball Edge — Storage Optimized 


* Up to 40 vCPUs, 80 GIB of RAM, 80 TB storage 
* Object storage clustering available 


e All: Can run EC? Instances & AWS Lambda functions (using AWS lol Greengrass) 
* Long-term deployment options: | and 3 years discounted pricing 


= 
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AWS OpsHub 


* Historically, to use Snow Family devices, you 
needed a CLI (Command Line Interface tool) mue 


* Today, you can use AWS OpsHub (a software D — — 
| © © 
you Install on SEN computer / laptop) to cs 
manage your Snow Family Device 
“ Unlocking and configuring single or clustered devices 
e Transferring files e, a s 
e Launching and managing instances running on Snow dip Ke, Bes L 
Family Devices Geesen 


* Monitor device metrics (storage capacity, active Dees) 
instances on your device) 


e Launch compatible AWS services on your devices 
(ex: Amazon EC2 instances, AWS DataSync, 
Network File System (NFS)) 


https://aws.amazon.com/blogs/aws/aws-snowball-edge-update/ 
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Solution Architecture: Snowball into Glacier 


e Snowball cannot import to Glacier directly 
“ You must use Amazon 53 first, in combination with an 53 lifecycle policy 


= import S3 lifecycle polic 
Ej "eiert 
(5 d 


Snowball Amazon S3 Amazon Glacier 
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Amazon FSx — Overview 


* Launch 3rd party high-performance file systems on AWS 


* Fully managed service 


k FSx for Lustre FSx for 

A7 
Kr NetApp ONTAP 
FSx for 
OpenZFS 


FSx for Windows 
File Server 
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Amazon FSx for Windows (File Server) 


* FSx for Windows is a fully managed Windows file system share drive 

Supports SMB protocol & Windows NTFS 

Microsoft Active Directory integration, ACLs, user quotas 

* Can be mounted on Linux EC2 instances 

e Supports Microsoft's Distributed File System (DFS) Namespaces (group files across multiple FS) 


Scale up to lOs of GB/s, millions of IOPS, I00s PB of data 


Storage Options: 
e SSD - latency sensitive workloads (databases, media processing, data analytics, ...) 
* HDD - broad spectrum of workloads (home directory, CMS, ...) 


* Can be accessed from your on-premises infrastructure (VPN or Direct Connect) 
* Can be configured to be Multi-AZ (high availability) 
e Data is backed-up daily to S3 
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Amazon FSx for Lustre 


* Lustre is a type of parallel distributed file system, for large-scale computing 
e The name Lustre is derived from "Linux" and “cluster 


e Machine Learning, High Performance Computing (HPC) 

* Video Processing, Financial Modeling, Electronic Design Automation 
e Scales up to 100s GB/s, millions of OPS, sub-ms latencies 

e Storage Options: 


e SSD - low-latency, IOPS intensive workloads, small & random file operations 
e HDD - throughput-intensive workloads, large & sequential file operations 
e Seamless integration with 53 
e Can "read 53" as a file system (through FSx) 
* Can write the output of the computations back to 53 (through FSx) 


* Can be used from on-premises servers (VPN or Direct Connect) 
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FSx Lustre - File System Deployment Options 
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* Scratch File System `" smsen) ` ` | Katene? | 
e Temporary storage |! Compute T 
P / : m Kee EE tee r 


* Data is not replicated (doesn't persist if file 
server fails) 


e High burst (6x faster, 200MBps per (BI 


FSx For Lustre S3 bucket 


* Usage: short-term processing, optimize (| (Scratch file system) À | (optional data repository) 
costs ess ern go SINC ee eA nA SION cae a P 
: : E| Region 
e Persistent File System E EE | 
+ Availability Zone 1 ! Availability Zone 2 | 
* Long-term storage pas ENI 


— Compute | 
Ch ©) [_ | instances | 


instances 


* Data is replicated within same AZ 
* Replace failed files within minutes 
* Usage: long-term processing, sensitive data 


FSx For Lustre S3 bucket 
| (Persistent file system) S> E : (optional data repository) 
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Amazon FSx for NetApp ON TAP 


Managed NetApp ONTAP on AWS 
* File System compatible with NFS, SMB, iSCSI protocol 

; FS% Amazon FSx for 
e Move workloads running on ONTAP or NAS to AWS AUX NetApp ONTAP FS 
Works with: 


e Linux 
* Windows NFS, SMB, iSCSI 
e MacOS 

e VMware Cloud on AWS 

e Amazon Workspaces 4 AppStream 2.0 
* Amazon EC2, ECS and EKS 


e Storage shrinks or grows automatically | EE Windows | 
e Snapshots, replication, low-cost, compression and data | Ge ES macOS | 
de-duplication | ! 

e Point-in-time instantaneous cloning (helpful for testing  : Eu es F | 
new workloads | | 

| VMware Cloud Amazon Amazon  On-premises | 

! on AWS AppStream 2.0 WorkSpaces Server | 


[mr 
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Amazon FSx for OpenZFS 


e Managed OpenZFS file system on AWS 


* File System compatible with NFS (v3, v4, v4.1, v4.2) = Amazon FSx 
EE for OpenZFS 


e Move workloads running on ZFS to AWS 
* Works with: 


* Linux 
e Windows NFS (v3, v4, v4.1, v4.2) 


* MacOS 
* VMware Cloud on AWS He ee IUE EE | 
* Amazon Workspaces & AppStream 2.0 

* Amazon EC2,ECS and EKS 


e Up to 1,000,000 IOPS with < U ams latency | ECS 
e Snapshots, compression and low-cost | 
“ Point-in-time a ^ cloning (helpful for (9 F 


testing new workloads ME 
| VMware Cloud Amazon Amazon On-premises ; 
on AWS AppStream 2.0  WorkSpaces Server 


A 


EB Windows 
EKS macOS 
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Hybrid Cloud Tor Storage 


e AWS is pushing for "hybrid cloud” 


* Part of your infrastructure is on the cloud 
* Part of your infrastructure Is on-premises 


* This can be due to 
* Long cloud migrations 
e Security requirements 
* Compliance requirements 
* IT strategy 


e 53 Is a proprietary storage technology (unlike EFS / NFS), so how do 
you expose the 53 data on-premises? 


e AWS Storage Gateway! 
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AWS Storage Cloud Native Options 


E E E 


Amazon EBS  EC2 Instance : Amazon EFS Amazon FSx : Amazon S3 Amazon Glacier: 
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AWS Storage Gateway 


“ Bridge between on-premises data and cloud data 
“ Use cases: 


* disaster recovery 
* backup & restore 

* tiered storage 

* on-premises cache & low-latency files access 


* |ypes of Storage Gateway: 
e 53 File Gateway 
e FSx File Gateway 
* Volume Gateway 
* Tape Gateway 
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Storage Gateway 


T 
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Amazon 53 File Gateway 


* Configured 53 buckets are accessible using the NFS and SMB protocol 

“ Most recently used data is cached in the file gateway 

e Supports 53 Standard, 53 Standard IA, 53 One Zone A, 53 Intelligent Tiering 

* Transition to 53 Glacier using a Lifecycle Policy 

“ Bucket access using IAM roles for each File Gateway 

e SMB Protocol has integration with Active Directory (AD) for user authentication 


Corporate AWS Cloud [ME 


Data Center ; 
S3 Standard Lifecycle 


Ê— G E S3 Standard IA policy RQ 
NFS or SMB | | i 53 One Zone-lA i Ak 


S3 Intelligent-Tiering : 
Application S3 File S3 Glacier 


Server Gateway 
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Amazon FSx File Gateway 


“ Native access to Amazon FSx for Windows File Server 

* Local cache for frequently accessed data 

“ Windows native compatibility (SMB, NTFS, Active Directory...) 
* Useful for group file shares and home directories 


Corporate RE] AWS Cloud 
Data Center 


E —— fs 


SMB Clients 


Amazon FSx 


File Gateway Amazon FSx File systems 


for Windows File Server 
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Volume Gateway 


e Block storage using ISCSI protocol backed by 53 

* Backed by EBS snapshots which can help restore on-premises volumes! 
* Cached volumes: low latency access to most recent data 

° Stored volumes: entire dataset is on premise, scheduled backups to 53 


Corporate S] AWS Cloud 
Data Center 


iSCSI = 

a o, 

Application Volume Gateway | Amazon EBS 
Server | Snapshots 
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Tape Gateway 


e Some companies have backup processes using physical tapes (|) 

* With Tape Gateway, companies use the same processes but, in the cloud 
e Virtual Tape Library (VTL) backed by Amazon 53 and Glacier 

e Back up data using existing tape-based processes (and iSCSI interface) 

“ Works with leading backup software vendors 


Corporate SEI AWS Cloud 
Data Center 


= Changer ©. 


Virtual Tapes Archived Tapes 
stored in stored in 
Amazon S3 Amazon Glacier 


Tape 


Backup 
Gateway 


Server 
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Storage Gateway — Hardware appliance 


2 

O 

= 

Ò 

A 

= 

o 

| D 

* Using Storage Gateway means you need Select host platform = 
on-premises virtualization ; = 
VMware ESXi 5 

* Otherwise, you can use a Storage z 
Gateway Hardware Appliance Microsoft Hyper-V 2012R2/2016 © 

i on 

* You can buy it on amazon.com Linux KVM 2 
= 

l l Amazon EC2 = 

* Works with File Gateway, Volume Gateway, = 
Tape Gateway © Hardware Appliance l (7 Buy on Amazon | | Activate Appliance a 

* Has the required CPU, memory, network, A 
SSD cache resources -— ]; . EHE - 

e Helpful for daily NFS backups in small data = 
centers = 

0 

c 

3 

E 

= 

A 

e 

Oo 


UJ 
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AWS Storage Gateway 


On-Premises AWS Cloud 


= NFS/SMB A 
4 > 
en 


User/group file shares File Gateway Amazon S3 


local cache excluding Glacier & 
Glacier Deep Archive 


Any S3 Storage Class 
Including Glacier 


Encryption in Transit 
Internet or Direct Connect 


Volume Gateway Amazon 53 AWS EBS 
local cache Storage Gateway 


Eject from backup application Q 
iSCSI VTL : 
e id 


Tape Archive 


Amazon S3 


Backup Application Tape Gateway Tape Library Glacier & 
local cache Glacier Deep Archive 


Gateway Deployment Options 


. Automated Backups 
VM(VMware, Hyper-V, KVM) or Hardware Appliance 


Amazon FSx Amazon S3 


For Windows File Server 


(9 Stephane Maarek 


u105'sn(nuun9e1ep'MAWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


AWS Transter Family rh 


* A fully-managed service for file transfers into and out of Amazon $3 or 
Amazon EFS using the FTP protocol 


“ Supported Protocols 
* AWS Transfer for FTP (File Transfer Protocol (FTP)) 
e AWS Transfer for FTPS (File Transfer Protocol over SSL (FTPS)) 
* AWS Transfer for SFTP (Secure File Transfer Protocol (SFTP)) 


e Managed infrastructure, Scalable, Reliable, Highly Available (multi-AZ) 
* Pay per provisioned endpoint per hour + data transfers in GB 
e Store and manage users credentials within the service 


* Integrate with existing authentication systems (Microsoft Active Directory, 
LDAR Okta, Amazon Cognito, custom) 


e Usage: sharing files, public datasets, CRM, ERP ... 
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AWS Transter Family 


LDAP 


MS Active Directory fas authenticate Wi 
DIS TEST SFTP 


AWS Transfer for SFTP 


AWS Transfer for FTPS 


AWS Transfer for FTP 
(only within VPC) 


Amazon S3 


A 


IAM Role 


BS 
A 
Users Route 53 


(FTP client) (optional) 


Amazon EFS 


AWS Transfer Family 
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AWS DataSync 


“ Move large amount of data to and from 
e On-premises / other cloud to AWS (NFS, SMB, HDFS, S3 API...) — needs agent 
e AWS to AWS (different storage services) — no agent needed 


e Can synchronize to: 


“ Amazon 53 (any storage classes — including Glacier) 
* Amazon EFS 
e Amazon FSx (Windows, Lustre, NetApp, OpenZFS...) 


* Replication tasks can be scheduled hourly, daily, weekly 
* File permissions and metadata are preserved (NFS POSIX, SMB...) 
e One agent task can use 10 Gbps, can setup a bandwidth limit 
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AWS Data5ync 
NFS / SMB to AWS (53, EFS, FSx...) 


On-Premises NEM | 


AWS Storage Resources 


G B B 


NFS or SMB S3 Standard S3 Intelligent- S3 Standard-lA 
= Tiering 
NFS or SMB AWS DataSync AWS 
Server Agent ! Zone-IA Deep Archive 


DataSync 


LEN 


AWS Snowcone 
(agent pre-installed) 


FSXa 


AWS EFS Amazon FSx 
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AWS Data5ync 
Transfer between AWS storage services 


Amazon S3 | | Amazon S3 


Amazon EFS Amazon EFS 


AWS DataSync 


| copy data and metadata | 
between AWS Storage Services i 
F»u | | F»u 


Amazon FSx | | Amazon FSx 
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Storage Comparison 


* $3: Object Storage 
53 Glacier: Object Archival 
s EBS volumes: Network storage for one EC? instance at a time 


“ Instance Storage: Physical storage for your EC2 instance (high IOPS) 

s EFS: Network File System for Linux instances, POSIX filesystem 

* FSx for Windows: Network File System for Windows servers 

e FSx for Lustre: High Performance Computing Linux file system 

e FSx for NetApp ONTAP: High OS Compatibility 

e FSx for OpenZFS: Managed ZFS file system 

e Storage Gateway: 53 & FSx File Gateway, Volume Gateway (cache & stored), lape Gateway 
* Transfer Family: FTP FIPS, SFTP interface on top of Amazon 53 or Amazon EFS 

e DataSync Schedule data sync from on-premises to AWS, or AWS to AWS 

Snowcone / Snowball / Snowmobile: to move large amount of data to the cloud, physically 


* Database: for specific workloads, usually with indexing and querying 
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AWIS Integration & Messaging 


SOS, SNS & Kinesis 
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Section Introduction 


* When we start deploying multiple applications, they will inevitably need 
to communicate with one another 


* There are two patterns of application communication 


1) Synchronous communications 2) Asynchronous / Event based 
(application to application) (application to queue to application) 


Buying Shipping Buying Shipping 


Service 


Service Service Service 
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Section Introduction 


“ Synchronous between applications can be problematic if there are 
sudden spikes of traffic 


e What if you need to suddenly encode 1000 videos but usually its 10? 


e |n that case, it's better to decouple your applications, 
* using SOS: queue model 
* using SNS: pub/sub model 
* using Kinesis: real-time streaming model 


* These services can scale independently from our application! 
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Amazon SOS 
Whats a queue! 


Send messages 
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Consumer 
Consumer 


Poll messages 
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Amazon SQS — Standard Queue 


e Oldest offering (over IO years old) 
* Fully managed service, used to decouple applications 


e Attributes: 
e Unlimited throughput, unlimited number of messages in queue 
e Default retention of messages: 4 days, maximum of 14 days 
e Low latency (<10 ms on publish and receive) 
* Limitation of 256KB per message sent 


* Can have duplicate messages (at least once delivery, occasionally) 
* Can have out of order messages (best effort ordering) 
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SOS — Producing Messages 


e Produced to SQS using the SDK (SendMessage API) 
e The message is persisted in SQS until a consumer deletes it 
“ Message retention: default 4 days, up to 14 days 


e Example: send an order to be processed 


e Order id OR —' 
* Customer id po p emn CIE 
* Any attributes you want A 


Message 
Up to 256 kb 


e SQS standard: unlimited throughput 
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SOS — Consuming Messages 


* Consumers (running on EC2 instances, servers, or AVVS Lambda)... 
e Poll SOS for messages (receive up to 10 messages at a time) 
* Process the messages (example: insert the message into an RDS database) 


e Delete the messages using the DeleteMessage API 


ol Receive NANANG 
messages HREF E) insert Amazon 


RDS = 


DeleteMessage 


O9"SNINLNIEFEP MMM »[oJee|A BUeYdaIS © NOILNAINLSIG 803 LON 


UJ 


© Stephane Maarek 


SQS — Multiple EC2 Instances Consumers 


* Consumers receive and process 


HE UU dB messages in parallel 
* At least once delivery 


DES c wu * Best-effort message ordering 
HB du di 
— = * Consumers delete messages 
after processing them 


Ton ae e We can scale consumers 
ee i horizontally to improve 
throughput of processing 
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SQS with Auto Scaling Group (ASG) 


EEGEN 


Poll for messages | | | 
r —* C] EC2 Instances | 
| ^ 


SQS Queue 


Auto Scaling Group 


scale 


d Alarm for breach 


CloudWatch Metric - Queue Length CloudWatch Alarm 
ApproximateNumberOfMessages 
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SQS to decouple between application tiers 


er a ae geet we we OOOO eC. ee 


Back-end processing 
application 


requests | | [r | SendMessage ReceiveMessages | 
tr 


| k B 4 SOS Queue | ^ 
NENNEN Y (infinitely scalable) AMNEM k 
Auto-Scaling Auto-Scaling 
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Amazon SQS - Security 


* Encryption: 
e In-flight encryption using HTTPS API 
* At-rest encryption using KMS keys 
* Client-side encryption if the client wants to perform encryption/decryption itself 


e Access Controls: JAM policies to regulate access to the SQS API 


e SQS Access Policies (similar to S3 bucket policies) 
e Useful for cross-account access to SQS queues 
* Useful for allowing other services (SNS, 53...) to write to an SQS queue 
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SOS — Message Visibility Timeout 


* After a message is polled by a consumer it becomes invisible to other consumers 
* By default, the "message visibility timeout" is 30 seconds 
* [hat means the message has 30 seconds to be processed 


e After the message visibility timeout is over, the message is “visible” in SQS 


ReceiveMessage  ReceiveMessage ReceiveMessage ReceiveMessage 
Request Request Request Request 
Visibility timeout 
| Yo Not returned Not returned d Time 
Message returned Message returned (again) 
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SOS — Message Visibility Timeout 


ReceiveMessage ReceiveMessage ReceiveMessage ReceiveMessage 
Request Request Request Request 
Visibility timeout 
| 2. Not returned Not returned Time 
Message returned Message returned (again) 


If a message Is not processed within the visibility timeout, it will be processed twice 
e A consumer could call the ChangeMessageVisibility API to get more time 


* |f visibility timeout is high (hours), and consumer crashes, re-processing will take time 


If visibility timeout is too low (seconds), we may get duplicates 
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Amazon SQS - Long Polling 


mt message 
“ When a consumer requests messages from the | HE i 


queue, it can optionally “wait” for messages to 
arrive if there are none in the queue | 


* This is called Long Polling 

* LongPolling decreases the number of API calls 
made to SQS while increasing the efficiency and SQS Queue 
reducing latency of your application 

* The wait time can be between | sec to 20 sec 


(20 sec preferable) ©) IH 


* Long Polling is preferable to Short Polling poli 
* Long et be enabled at the queue level 


or at the API level using WaitTimeSeconds E 
Consumer 
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Amazon SOS — FIFO Queue 


e FIFO = First In First Out (ordering of messages in the queue) 


Send messages Poll messages 
Producer Consumer 


| 


* Limited throughput: 300 msg/s without batching, 3000 msg/s with 


“ Exactly-once send capability (by removing duplicates) 


“ Messages are processed in order by the consumer 
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SQS with Auto Scaling Group (ASG) 


EEGEN 


Poll for messages | | | 
r —* C] EC2 Instances | 
| ^ 


SQS Queue 


Auto Scaling Group 


scale 


d Alarm for breach 


CloudWatch Metric - Queue Length CloudWatch Alarm 
ApproximateNumberOfMessages 
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If the load is too big, 
some transactions may be lost 


ROS 
d Amazon RDS 
: Ee: 
: r Insert 
| ! A transactions 
requests : | 7 
— EC Amazon Aurora 
E Amazon DynamoDB 


Auto-Scaling 
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SOS as a buffer to database writes 


r--------------------------- 


Enqueue message 


requests ` | F | SendMessage 
10 DW | IH 


? Ge SOS Queue 


(infinitely scalable) 


Auto-Scaling 
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SQS to decouple between application tiers 


er a ae geet we we OOOO eC. ee 


Back-end processing 
application 


requests | | [r | SendMessage ReceiveMessages | 
tr 


| k B 4 SOS Queue | ^ 
NENNEN Y (infinitely scalable) AMNEM k 
Auto-Scaling Auto-Scaling 
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Amazon SNS 


* What if you want to send one message to many receivers? 


Direct EI Pub / Sub — 
air aaa notification notification 
Fraud Fraud 
service Service 
Buying Buying LÀ 
Service mm Service LELLLELE 
Shipping ‘t=... s Shipping 
Service SNS Topic Service 


SQS Queue SQS Queue 
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Amazon SNS (vds 


e [he "event producer" only sends message to one SNS topic 


* As many "event receivers" (subscriptions) as we want to listen to the SINS topic notifications 
e Each subscriber to the topic will get all the messages (note: new feature to filter messages) 
Up to 12,500,000 subscriptions per topic 

* HOUODUTODIES MEME tp ganas Sae niat in ein ete inii | 


Subscribers 


/ D 
foo) Ze) 
c: ES 


publish | SQS Lambda Kinesis Data 
Firehose 
L] HTTP 
Emails SMS & HTTP(S) 


Mobile Notifications Endpoints 
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SNS integrates with a lot of AWS services 


e Many AWS services can send data directly to SNS for notifications 


| CloudWatch Alarms AWS Budgets Lambda 
^ 
E 3 
V publish 
| Auto Scaling Group S3 Bucket DynamoDB 
(Notifications) (Events) 
NA 
NE Zz N 
CloudFormation AWS DMS RDS Events 


(State Changes) (New Replic) 


b = = ee ee ee ee ee ee rm rm ee ee ee pm pm pm pm mm rm ee ee ee eB eB eB eB rm rm rm rm ee rm rm ee ee pm pm mm pm pm pm ee ee vm vm mm mm mm mm d 
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Amazon SNS — How to publish 


* Topic Publish (using the SDK) 
* Create a topic 
* Create a subscription (or many) 
* Publish to the topic 


* Direct Publish (for mobile apps SDK) 
* Create a platform application 
* Create a platform endpoint 
* Publish to the platform endpoint 
* Works with Google GCM, Apple APNS, Amazon ADM... 
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Amazon SNS — Security 


* Encryption: 
e In-flight encryption using HTTPS API 
* At-rest encryption using KMS keys 
* Client-side encryption if the client wants to perform encryption/decryption itself 


* Access Controls: JAM policies to regulate access to the SNS API 


“ SINS Access Policies (similar to $3 bucket policies) 
* Useful for cross-account access to SNS topics 
e Useful for allowing other services ( 53...) to write to an SNS topic 
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SNS + SOS: Fan Out 


SQS Queue 
Service 
Buying " — 
Service Loc Sege 
ipping 
SNS Topic 


SOS Queue 


“ Push once in SNS, receive in all SQS queues that are subscribers 

* Fully decoupled, no data loss 

e SQS allows for: data persistence, delayed processing and retries of work 
* Ability to add more SQS subscribers over time 

* Make sure your SQS queue access policy allows for SNS to write 

* Cross-Region Delivery: works with SQS Queues in other regions 
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Application: 53 Events to multiple queues 


* For the same combination of: event type (e.g. object create) and prefix 
(e.g. images/) you can only have one $3 Event rule 


* |f you want to send the same 53 event to many SQS queues, use fan-out 


SQS Queues 


Fan-out 
S3 Object events — Big 
created... porter 


SNS Topic 


Amazon S3 
ev Lambda Function 
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Application: SNS to Amazon 53 through 
Kinesis Data Firehose 


“ SNS can send to Kinesis and therefore we can have the following 
solutions architecture: 


B Amazon S3 


Any supported KDF 
Destination 


SNS Topic Kinesis Data 
Firehose 
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Amazon SNS — FIFO Topic 


s FIFO = First In First Out (ordering of messages in the topic) 


Producer Send messages LLLLLLL - Receive messages Le 
TEHFELELE SQS FIFO 


siia : 


e Similar features as SOS FIFO: 


* Ordering by Message Group ID (all messages in the same group are ordered) 
* Deduplication using a Deduplication ID or Content Based Deduplication 


* Can only have SOS FIFO queues as subscribers 
“ Limited throughput (same throughput as SQS FIFO) 
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SNS FIFO + SQS FIFO: Fan Out 


“ In case you need fan out + ordering + deduplication 


SQS FIFO Queue 


Fraud 
Service 


= Shipping 
SNS FIFO Topic Service 


SQS FIFO Queue 
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SNS — Message Filtering 


“ JSON policy used to filter messages sent to SNS topics subscriptions 


e |f a subscription doesn't have a filter policy, it receives every message 
7 Filter Policy SQS Queue 
State: Placed gig (Placed orders) 
DII SQS Queue 
(Cancelled orders) 


Filter Polic s 
Buying New transaction EI aoe A Ges Email Subscription 
tees pe 
Service EE e 52:25: (Cancelled orders) 


Product: Pencil SNS Topic 
Qty: 4 


SQS Queue 
(Declined orders) 


SQS Queue 
ellla] (any 


State: Placed 


osen 2 
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Kinesis Overview 


* Makes it easy to collect, process, and analyze streaming data in real-time 


* Ingest real-time data such as: Application logs, Metrics, Website clickstreams, 


“ Kinesis Data Streams: capture, process, and store data streams 

e Kinesis Data Firehose: load data streams into AWS data stores 

“ Kinesis Data Analytics: analyze data streams with SQL or Apache Flink 
“ Kinesis Video Streams: capture, process, and store video streams 


lol telemetry data... 


SS 


= 


Ke 
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Kinesis Data Streams 


meee ee ee ee e ee ee ee ee ee an 


Applications Cr 
ü 


Shard 2 


i Apps (KCL, SDK) 
© 


| | Lambda 
| | 
| o | 


PETIT RUE ME: Kinesis Data ` 
e 2 MB/sec (shared) : Sb | 
Per shard all consumers | Firehose | 


Client TT L| Data Blob 
> 


(up to 1 MB) 
SDK, KPL e 


Kinesis Agent = | 


Producers 


1 MB/sec 
or 1000 msg/sec 
per shard 


Shard N 
OR 


Wa) Kinesis Data 
7E Analytics 


Stream 


2 MB/sec (enhanced) 
Per shard per consumer 


Consumers 


———————————— EST 


Can scale # of shards 
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Kinesis Data Streams 


* Retention between | day to 365 days 

* Ability to reprocess (replay) data 

e Once data Is inserted in Kinesis, it can't be deleted (immutability) 

* Data that shares the same partition goes to the same shard (ordering) 
* Producers: AWS SDK, Kinesis Producer Library (KPL), Kinesis Agent 


* Consumers: 
* Write your own: Kinesis Client Library (KCL), AWS SDK 
e Managed: AWS Lambda, Kinesis Data Firehose, Kinesis Data Analytics, 
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Kinesis Data Streams — Capacity Modes 


“ Provisioned mode: 
* You choose the number of shards provisioned, scale manually or using API 
e Each shard gets | MB/s in (or 1000 records per second) 
* Each shard gets 2MB/s out (classic or enhanced fan-out consumer) 
* You pay per shard provisioned per hour 


* On-demand mode: 
* No need to provision or manage the capacity 
* Default capacity provisioned (4 MB/s in or 4000 records per second) 
e Scales automatically based on observed throughput peak during the last 30 days 
* Pay per stream per hour & data in/out per GB 
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Kinesis Data Streams Security 


* Control access / authorization using 
IAM policies 
e Encryption in flight using HTTPS | | 
endpoints | o ! Shard 1 
* Encryption at rest using KMS | | 
i E.) : Shard 2 


* You can implement 1 NS OM 
encryption/decryption of data on | | Il Shard 3 
client side (harder) ! | 


* VPC Endpoints available for Kinesis to 
access within VPC 


e Monitor API calls using Cloud Trail 


Stream 


Kinesis Data Stream 


ere E E sh 5 2 5 Fe eg 
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3rd-party Partner Destinations 


splunk> 


Lambda | | FA Q New Relic. | 
= function | ! Datadog @ mongoDB 1 


Applications In FQ 


Data RE Fb uo Dd UR aa TON GE TS 


Kinesis sé NEE 
transformation 


Data Streams 


Record 


Client TT L 
=> 


«-— Amazon Redshift 
(COPY through S3) 


Amazon 
SDK, KPL CloudWatch 


(Logs & Events) Kinesis 
Data Firehose 
Kinesis Agent = All or Failed data | | 
r Custom Destinations ! | 
AWS loT BO — t 
Producers 53 backup bucket ‘| Leet HTTP Endpoint I 


SR eee ess esse 


u105'sn(nuun9e1ep'MMWW Y91EE [A] aueudoa}s © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


Kinesis Data Firehose 


* Fully Managed Service, no administration, automatic scaling, serverless 
e AWS: Redshift / Amazon 53 / OpenSearch 
e 3rd party partner: Splunk / MongoDB / DataDog / NewRelic / ... 
* Custom: send to any HTTP endpoint 


* Pay for data going through Firehose 


* Near Real Time 
* 60 seconds latency minimum for non full batches 
* Or minimum | MB of data at a time 


“ Supports many data formats, conversions, transformations, compression 
e Supports custom data transformations using AV S Lambda 
e Can send failed or all data to a backup 53 bucket 
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Kinesis Data Streams vs Firehose 


Ss 
29 Kinesis Data Streams 


e Streaming service for ingest at scale 


* Write custom code (producer / 
consumer) 


* Real-time (—200 ms) 


e Manage scaling (shard splitting / 
merging) 


* Data storage for | to 365 days 
“ Supports replay capability 
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Kinesis Data Firehose 


e Load streaming data into 53 / Redshift / 
OpenSearch / 29 party / custom HTTP 


* Fully managed 

* Near real-time (buffer time min. 60 sec) 
e Automatic scaling 

* No data storage 


* [Doesn't support replay capability 
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Ordering data Into Kinesis 


“ Imagine you have 100 trucks 
(truck_ |, truck_2, ... truck. 100) on 
the road ET GPS positions 
regularly into AWS. 


“ You want to consume the data In 
order for each truck, so that you can 
track their movement accurately. 


“ How should you send that data into 
Kinesis? 


Kinesis Stream with 3 Shards 


HEI EI LEET Shadi 
1H "EE WW Shard 2 


a ELE TL shs 


* Answer: send using a "Partition Key" Partition Key is “truck id” 


value of the "truck. id" 


* The same key will always go to the 
same shard 
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SEE 
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Ordering data into SQS 


* For SQS standard, there is no ordering. 


* For SQS FIFO, if you dont use a Group ID, messages are consumed in the 
order they are sent, with only one consumer 


SQS FIFO Queue Second batch consumed First batch consumed 


Direction of travel Direction of consumption 


€— Lastin First in —» <— Last consumed First consumed —» 


* You want to scale the number of consumers, but you want messages to be "grouped" 
when they are related to each other 


* [hen you use a Group ID (similar to Partition Key in Kinesis) 


Message Group A 


SQS FIFO Queue 


Message Group B €-Lastin  Firstin > Second batch First batch 
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Kinesis vs SQS ordering 


e Let's assume |00 trucks, 5 kinesis shards, | SOS FIFO 


e Kinesis Data Streams: 
* On average youll have 20 trucks per shard 
* Trucks will have their data ordered within each shard 
e The maximum amount of consumers in parallel we can have is 5 
* Can receive up to 5 MB/s of data 


s SOS FIFO 
e You only have one SQS FIFO queue 
* You will have 100 Group ID 
e You can have up to 100 Consumers (due to the 100 Group ID) 
* You have up to 300 messages per second (or 3000 if using batching) 
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SOS vs SNS vs Kinesis 


Kinesis: 


SQS: / N SNS: 
NA 


Consumer “pull data” 


Data is deleted after being 
consumed 


Can have as many workers 
(consumers) as we want 


No need to provision 
throughput 


Ordering guarantees only on 
FIFO queues 


Individual message delay 
capability 
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Push data to many 
subscribers 


Up to 12,500,000 subscribers 


Data is not persisted (lost if 
not delivered) 


Pub/Sub 
Up to 100,000 topics 


No need to provision 
throughput 


Integrates with SOS for fan- 
out architecture pattern 


FIFO capability for SOS FIFO 


Standard: pull data 
e 2 MB per shard 


Enhanced-fan out: push data 
e 2 MB per shard per consumer 


Possibility to replay data 


Meant for real-time big data, 
analytics and ETL 


Ordering at the shard level 


Data expires after X days 


Provisioned mode or on- 
demand capacity mode 
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Amazon MO 


e SQS, SNS are "cloud-native" services: proprietary protocols from AWS 


* Traditional ee SE from on-premises may use open protocols 
such as: MOT T, AMOR STOMF Openwire, WSS 


* When eae to the cloud, instead of re-engineering the application to use 
SOS and SNS, we can use Amazon M 


“ Amazon MQ Is a managed message broker service for 


kb RabbitMO S 


ACTIVEMQ 


e Amazon MQ doesn't "scale" as much as SOS / SNS 
e Amazon MQ runs on servers, can run in Multi-AZ with failover 
e Amazon MQ has both queue feature (~SQS) and topic features (~SNS) 
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Amazon MQ — High Availability 


Availability Zone 
(us-east-1a) 


| DO 
O. 0 
O Mo ne ines Amazon EFS 
C=) aa nnn nnn , (storage) 
: Dësen | Availability Zone 
Client failover (us-east-1b) 
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What is Docker? a 


docker 
* Docker is a software development platform to deploy apps 


* Apps are packaged in containers that can be run on any OS 


e Apps run the same, regardless of where they're run 
* Any machine 
* No compatibility issues 
* Predictable behavior 
* Less work 
* Easier to maintain and deploy 
* Works with any language, any O5, any technology 


* Use cases: microservices architecture, lift-and-shift apps from on- 
premises to the AWS cloud, ... 
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Docker on an OS 


E Server (e.g., EC2 instance) 
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Where are Docker images stored? 


“ Docker images are stored in Docker Repositories 


e Docker Hub (https://hub.dockercom) 


“ Public repository 
e Find base images for many technologies or OS (e.g., Ubuntu, MySQL, ...) 


“ Amazon ECR (Amazon Elastic Container Registry) 
* Private repository 
“ Public repository (Amazon ECR Public Gallery https://gallery.ecraws) 
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Locker vs. Virtual Machines 


e Docker is "sort of a virtualization technology, but not exactly 


* Resources are shared with the host => many containers on one server 


Apps Apps 


Guest OS Guest OS Guest OS 
(VM) (VM) (VM) 


Host OS Host OS (EC2 Instance) 
Infrastructure Infrastructure 
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Getting Started with Docker 


=] Build 


Dockerfile 


docker 


Run ; container 
>! 


ubuntu:18.04 


. /app 
make /app 


python3 /app/app.y 


—————— 


Amazon : 
ECR 
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Docker Containers Management on AWS 


“ Amazon Elastic Container Service (Amazon ECS) Amazon ECS 


* Amazons own container platform 


e Amazon's managed Kubernetes (open source) 


* AWS Fargate m 
* Amazons own Serverless container platform SS AWS Fargate 
* Works with ECS and with EKS 


“ Amazon ECR: Se Amazon ECR 
e Store container images 
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“ Amazon Elastic Kubernetes Service (Amazon EKS) Amazon EKS 
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Amazon ECS - EC2 Launch lype 


| | | Amazon ECS / ECS Cluster : 
* ECS = Elastic Container Service | 


e Launch Docker containers on AWS = | ji 
Launch ECS Tasks on ECS Clusters | 
e EC2 Launch Type: you must provision 


& maintain the infrastructure (the EC? | HE EC2 Instance B EC2 Instance EC2 Instance 
instances) | 


* Each EC2 Instance must run the ECS 
Agent to register in the ECS Cluster 


e AWS takes care of starting / stopping 
containers 
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Amazon ECS — Fargate Launch lype 


e Launch Docker containers on AWS 


I New Docker 
* You do not provision the infrastructure Container 
(no EC2 instances to manage) | 


e It’s all Serverless! 


* You just create task definitions 


e AWS just runs ECS Tasks for you based ! 
on the CPU / RAM you need 


* To scale, just increase the number of | 
tasks. Simple - no more EC2 instances ! 


$ 
UIO2*sn[nuu 
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Amazon ECS — IAM Roles for ECS 


* EC2 Instance Profile (EC2 Launch Type only): 2 
* Used by the ECS agent 


[I S m 
e Makes API calls to ECS service 


nA J 1j ECR 
“ Send container logs to CloudVVatch Logs | = 
* Pull Docker image from ECR | ` ! 


* Reference sensitive data in Secrets Manager or 
SSM Parameter Store 


CloudWat 
Logs 


* ECS Task Role: 


* Allows each task to have a specific role 


* Use different roles for the different ECS Services 
you run 


* [ask Role is defined in the task definition 
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Amazon ECS — Load Balancer Integrations 


* Application Load Balancer supported EM cc instance 
and works for most use cases 
ECS Task 


* Network Load Balancer recommended | IRCH Ecs task 
only for high throughput / high Ki 


performance use cases, or to pair it with op 
AWS Private Link a 


EC2 Instance 


Users EN 
Application 


Load Balancer | Ens 
* Classic Load Balancer supported but 
not recommended (no advanced | ECS Task 
features — no Fargate) | 


ECS Cluster 
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Amazon ECS — Data Volumes (EFS) 


e Mount EFS file systems onto ECS tasks 
“ Works for both EC2 and Fargate launch types 


* [asks running in any AZ will share the same data 
in the EFS file system 


* Fargate + EFS = Serverless 
* Use cases: persistent multi-AZ shared storage for mount mount 
your containers ECS Cluster 
S Note: un" cei pe o 
e Amazon 53 cannot be mounted as a file system Es] ege | 
God 


File System 


SE a ce ae, i tel 
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ECS Service Auto Scaling 


Ä 
et 
T 


e Automatically increase/decrease the desired number of ECS tasks 


e Amazon ECS Auto Scaling uses AWS Application Auto Scaling 
e ECS Service Average CPU Utilization 
e ECS Service Average Memory Utilization - Scale on RAM 
* ALB Request Count Per larget — metric coming from the ALB 


* Target Tracking — scale based on target value for a specific CloudWatch metric 
e Step Scaling — scale based on a specified Cloud Watch Alarm 
e Scheduled Scaling — scale based on a specified date/time (predictable changes) 


e ECS Service Auto Scaling (task level) # EC2 Auto Scaling (EC2 instance level) 
* Fargate Auto Scaling is much easier to setup (because Serverless) 
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EC2 Launch lype — Auto Scaling EC2 Instances 


* Accommodate ECS Service Scaling by adding underlying EC2 Instances 


“ Auto Scaling Group Scaling 
e Scale your ASG based on CPU Utilization 
e Add EC? instances over time 


e ECS Cluster Capacity Provider 
“ Used to automatically provision and scale the infrastructure for your ECS Tasks 
* Capacity Provider paired with an Auto Scaling Group 
e Add EC Instances when youre missing capacity (CPU, RAM...) 
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ECS WANG” Service CPU Usage Example 


meee ee ee ew e e em ee em em em am ee em em ee ee ee ee ee 


Task 2 


cx ee es AN 
te 
Y 


Scale ECS Capacity Providers 


CloudWatch Metric Trigger (optional) 


(ECS Service CPU Usage) 


CloudWatch Alarm 
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ECS tasks invoked by Event Bridge 


Cl Upload object 


> 
Client 


ECS Task Role 
Event (Access S3 & DynamoDB) Save result 


Amazon 
DynamoDB 


Amazon 
EventBridge 
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ECS tasks invoked by Event Bridge Schedule 


mo ne ae ee ae ee ee ae ee ee ee ee === 


AWS Fargate 


A 


ECS Task Role d 
Access 53 MB . 
(a Batch Processing 
pu |, CS 


Amazon S3 


Task 
(new) 


Every 1 hour Rule: Run ECS Task: 


| 


Amazon 
EventBridge 


il as, dasih a ch GA JAN GA, er ace eee ee 
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Poll for messages 
SQS Queue 


Messages 


ECS — SQS Queue Example 
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ECS — Intercept Stopped lasks using EventBridge 


20% event — DA email 
ONE E na 


EventBridge SNS Administrator 
Containers 
EE 1 { 
"source": [ 
"aws.ecs" 
1, 
"detail-type": [ 
"ECS Task State Change" 
l, 
"detail": 4 
"lastStatus": [ 
"STOPPED" 
1, 
"stoppedReason": [ 
"Essential container in task exited" 
] 
} 
} Event Pattern 
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Amazon ECR 


e ECR = Elastic Container Registry 


Docker Docker 


e Store and manage Docker images on AWS | Image A Image B 


“ Private and Public repository (Amazon ECR 
Public Gallery https://gallery.ecraws) 
* Fully integrated with ECS, backed by Amazon 53 


e Access is controlled through IAM (permission ! ECA Instance 
errors => policy) | 


`E 


e Supports image vulnerability scanning, versioning, 
image tags, image lifecycle, ... 
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Amazon EKS Overview 


e 
E 


e Amazon EKS = Amazon Elastic Kubernetes Service 
e It is a way to launch managed Kubernetes clusters on AWS 


* Kubernetes Is an open-source system for automatic deployment, scaling and 
management of containerized (usually Docker) application 


e [ts an alternative to ECS, similar goal but different API 


e EKS supports EC2 if you want to deploy worker nodes or Fargate to deploy 
serverless containers 


* Use case: if your company is already using Kubernetes on-premises or in 
another cloud, and wants to migrate to AWS using Kubernetes 


* Kubernetes is cloud-agnostic (can be used in any cloud — Azure, GCP...) 
* For multiple regions, deploy one EKS cluster per region 
e Collect logs and metrics using Cloud Watch Container Insights 
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Service LB 


Availability Zone 3 


EKS Worker Nodes 
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D 


Amazon EKS - 


AA AWS Cloud 
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Amazon EKS — Node lIypes 


“ Managed Node Groups 
e Creates and manages Nodes (EC2 instances) for you 
* Nodes are part of an ASG managed by EKS 
e Supports On-Demand or Spot Instances 


e Self-Managed Nodes 
* Nodes created by you and registered to the EKS cluster and managed by an ASG 


* You can use prebuilt AMI - Amazon EKS Optimized AMI 
e Supports On-Demand or Spot Instances 


* AWS Fargate 


* No maintenance required; no nodes managed 
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Amazon EKS — Data Volumes 


* Need to specify StorageClass manifest on your EKS cluster 
“ Leverages a Container Storage Interface (CSI) compliant driver 


N S A 
TA N 


N A 


= 


“ Support for... 
“ Amazon EBS 
“ Amazon EFS (works with Fargate) 


* Amazon FSx for Lustre 
* Amazon FSx for NetApp ONTAP 
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AWS App Runner 


e Fully managed service that makes it easy to deploy web 
applications and APIs at scale 


8I41SIQ 401 LON 


Lo 
o 
= 
^ 
CH 
(D 
n 


Container ` [m = 
= — 
Image (Docker) Code 5 
2 


* No infrastructure experience required 
e Start with your source code or container image 


COR 
Access using URL [LAN] 


Coo 
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© 

EN 

Configure Settings D 

* Automatically builds and deploy the web app ee {35 z 
| | | | Auto Scaling, > 

* Automatic scaling, highly available, load balancer, encryption Health Check Les > 
DI 

* VPC access support : 
, ^ 

* Connect to database, cache, and message queue services N < 
Create & Deploy 4, » - 

7 S 

e Use cases: web apps, APIs, microservices, rapid production | = 
deployments 5 

e 

o 


UJ 
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Serverless Overview 
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Whats serverless? 


e Serverless is a new paradigm in which the developers don't have to 
manage servers anymore... 


* They just deploy code 
* They just deploy... functions | 
* Initially... Serverless == FaaS (Function as a Service) 


e Serverless was pioneered by AWS Lambda but now also includes 
anything thats managed: databases, messaging, storage, etc." 


e Serverless does not mean there are no servers... 
it means you just don't manage / provision / see them 
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Serverless in AWS es Users 


e AWS Lambda 

e DynamoDB 

e AWS Cognito 

e AWS API Gateway 

e Amazon S3 

e AWS SNS & SQS 

e AWS Kinesis Data Firehose 
e Aurora Serverless 


a- 
< 
= 
un 
LU 
cc 


S3 bucket API Gateway Cognito 


E 


“ Step Functions Lambda 
* Fargate 


p 


u105'sn(nuun9e1ep'MMWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


DynamoDB 
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Why AVVS Lambda 


e Virtual Servers in the Cloud 
LH * | imited by RAM and CPU 


* Continuously running 


Amazon EC2 “ Scaling means intervention to add / remove servers 


* Virtual functions — no servers to manage! 


IN * Limited by time - short executions 


e Run on-demand 


NON Mens * Scaling is automated! 
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Benefits of AWS Lambda 


* Easy Pricing: 
* Pay per request and compute time 
* Free tier of 1,000,000 AWS Lambda requests and 400,000 GBs of compute time 


* Integrated with the whole AWS suite of services 

* Integrated with many programming languages 

* Easy monitoring through AWS CloudWatch 

* Easy to get more resources per functions (up to |OGB of RAM!) 
e Increasing RAM will also improve CPU and network 
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AWS Lambda language support 


e Node.js (JavaScript) 

e Python 

e Java (Java 8 compatible) 

e CH (NET Core) 

e Golang 

e CH / Powershell 

e Ruby 

e Custom Runtime API (community supported, example Rust) 


e Lambda Container Image 
e The container image must implement the Lambda Runtime API 
e ECS / Fargate is preferred for running arbitrary Docker images 
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AWS Lambda Integrations 
Main ones 


SS 


778 


API Gateway Kinesis DynamoDB 


CloudWatch Events  CloudWatch Logs SNS 
EventBridge 


(9 Stephane Maarek 


S3 CloudFront 


Cognito 


osen ——————À— A 
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Example: Serverless Thumbnail creation 


ES New thumbnail in S3 
À 


Image name 
New image in 53 AWS Lambda Function Image size 
Creates a Thumbnail Crestioh date 
etc... 


Metadata in DynamoDB 
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Example: Serverless CRON Job 


Trigger 
Every 1 hour 


& 


N 


AWS Lambda Function 
Perform a task 


CloudWatch Events 
EventBridge 


u105'sn(nuun9e1ep'MAWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


AWS Lambda Pricing: example 


* You can find overall pricing information here: 
https://aws.amazon.com/lambda/pricing/ 


* Pay per calls: 
* First 1,000,000 requests are free 
* $0.20 per | million requests thereafter ($0.0000002 per request) 


* Pay per duration: (in increment of | ms) 
e 400,000 GB-seconds of compute time per month for FREE 
e == 400,000 seconds if function is | GB RAM 
e == 3,200,000 seconds if function is 128 MB RAM 
* After that $1.00 for 600,000 GB-seconds 


* |t is usually very cheap to run AWS Lambda so its very popular 
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AWS Lambda Limits to Know - per region 


* Execution: 
e Memory allocation: 128 MB — 10GB (| MB increments) 
e Maximum execution time: 900 seconds (15 minutes) 
* Environment variables (4 KB) 
e Disk capacity in the "function container” (in /tmp): 512 MB to 10GB 
e Concurrency executions: [000 (can be increased) 


* Deployment: 
* | ambda function deployment size (compressed zip): 50 MB 
e Size of uncompressed deployment (code + dependencies): 250 MB 
* Can use the /tmp directory to load other files at startup 
e Size of environment variables: 4 KB 
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Customization At The Edge 


“ Many modern applications execute some form of the logic at the edge 


* Edge Function: 
e A code that you write and attach to CloudFront distributions 
* Runs close to your users to minimize latency 


* CloudFront provides two types: CloudFront Functions & Lambda@Edge 
* You dont have to manage any servers, deployed globally 


* Use case: customize the CDN content 
* Pay only for what you use 
* Fully serverless 
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CloudFront Functions & Lambda@Edge e 
Use Cases 


* Website Security and Privacy 

* Dynamic Web Application at the Edge 

e Search Engine Optimization (SEO) 

e intelligently Route Across Origins and Data Centers 
* Bot Mitigation at the Edge 

* Real-time Image Transformation 

* A/B Testing 

* User Authentication and Authorization 

* User Prioritization 

* User Tracking and Analytics 
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CloudFront Functions San 
J 
e Lightweight functions written in JavaScript t 
e For high-scale, latency-sensitive CON customizations | oed 
“ Sub-ms startup times, millions of requests/second 


* Used to change Viewer requests and responses: 
“ Viewer Request: after CloudFront receives a request from a 


CloudFront 


viewer 
“ Viewer Response: before CloudFront forwards the response - Se 
to the viewer Rare eier 
* Native feature of CloudFront (manage code entirely 
within CloudFront) E 


Origin 
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| ambda()Edge Client 


* Lambda functions written in NodeJS or Python 
e Scales to |000s of requests/second TEE Re 


Request Response 


“ Used to change CloudFront requests and responses: 
* Viewer Request — after CloudFront receives a request from a 
viewer 
“ Origin Request — before CloudFront forwards the request to the 


origin ; CloudFront 
* Origin Response — after CloudFront receives the response from the 
origin 
* Viewer Response — before CloudFront forwards the response to 
the viewer 


e Author your functions in one AWS Region (us-east- |), then 
CloudFront replicates to its locations 


Origin Origin 
Request Response 


Origin 
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CloudFront Functions vs. Lambda@Edge 


| CloudFront Functions Lambda@Edge 


Runtime Support 

# of Requests 
CloudFront Triggers 
Max. Execution Time 
Max. Memory 

Total Package Size 


Network Access, File System Access 


Access to the Request Body 


Pricing 
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JavaScript 
Millions of requests per second 


- Viewer Request/Response 
« 1ms 
2 MB 


10 KB 


No 
No 


Free tier available, 1/6" price of @Edge 


Node.js, Python 
Thousands of requests per second 


- Viewer Request/Response 
- Origin Request/Response 


5 — 10 seconds 
128 MB up to 10 GB 
1 MB - 50 MB 


Yes 
Yes 


No free tier, charged per request & duration 
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CloudFront Functions vs. Lambda@Edge - Use Cases 


CloudFront Functions Lambda@Edge 
* Cache key normalization * Longer execution time (several ms) 
* Transform request attributes (headers, 
cookies, query strings, URL) to create an S Adjustable CPU or memory 


optimal Cache Key 
* Your code depends on a 3rd 


libraries (eg, AWS SDK to access 


* Header manipulation 
* Insert/modify/delete HTTP headers in the 


request or response other AWS services) 
* URL rewrites or redirects * Network access to use external 
* Request authentication & authorization services for processing 


* Create and validate user-generated 


tokens (e.g. JWT) to allow/deny requests * File system access or access to the 


body of HTTP requests 
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Lambda by default 


Default Lambda Deployment 


* By default, your Lambda function is 
launched outside your own VPC (in 


an AWS-owned VPC) gege \) E 
e Therefore, it cannot access resources | 


DynamoDB 


EI AWS Cloud 


in your VPC (RDS, ElastiCache, 


internal ELB. ' .) | VPC & Private Subnet 
| Not working 


n 
CE) 
EN 


Private RDS 
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Lambda in VPC us 


e You must define the VPC ID, the - 
Subnets and the Security Groups Private subnet 


* Lambda will create an ENI (Elastic 
Network Interface) in your subnets 


Lambda Security group 


Elastic Network 
Interface (ENI) 


RDS Security group 


Amazon RDS 
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Lambda with RDS Proxy 
e If Lambda functions directly access your ak ESS oO . 


database, they may open too many 
connections under high load 


e RDS Proxy 
* Improve scalability by pooling and sharing DB 
connections Private subnet 
* Improve availability by reducing by 66% the = 
failover time and preserving connections | | RDS Proxy 


e Improve security by enforcing JAM 
authentication and storing credentials in 
Secrets Manager 


* The Lambda function must be deployed in 


your VPC, because RDS Proxy is never 
publicly accessible 


e RDS DB 
& Instance 
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Invoking Lambda trom RDS & Aurora 


v 
c 
Lo 
(D 
5 


e Invoke Lambda functions from within your DB instance 


register 
(INSERT) 


Ka 


* Allows you to process data events from within a database 
“ Supported for RDS for PostgreSQL and Aurora MySQL 


“ Must allow outbound traffic to your Lambda function | 
from within your DB instance (Public, NAT GW,VPC DA geg 
Endpoints) 


Am 


£9 
N 
© 


n| RDS DB 
Instance 


v . . 
Permission 


w 


a 


Lambda 
function 


2 


* DB instance must have the required permissions to 
invoke the Lambda function (Lambda Resource-based | 
Policy & IAM Policy) send Email | D 


E 
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Amazon SES 
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RDS Event Notifications 


RDS DB 
Instance 


e Notifications that tells information about the DB RDS Ka 
instance Itself (created, stopped, start, ...) = 
* You don't have any information about the data itself 


“ Subscribe to the following event categories: DB 
instance, DB snapshot, DB Parameter Group, DB 
Security Group, RDS Proxy, Custom Engine Version 


G 


| | SNS EventBridg 
* Near real-time events (up to 5 minutes) | 


e Send notifications to SNS or subscribe to events 
using EventBridge 
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Lambda Lambda 
Queue function function |: 


wos 
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Amazon DynamoDB 


* Fully managed, highly available with replication across multiple AZs 

“ NoSQL database - not a relational database - with transaction support 
e Scales to massive workloads, distributed database 

e Millions of requests per seconds, trillions of row, I00s of TB of storage 
* Fast and consistent in performance (single-digit millisecond) 

e Integrated with IAM for security, authorization and administration 

“ Low cost and auto-scaling capabilities 

* No maintenance or patching, always available 

e Standard & Infrequent Access (IA) Table Class 
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DynamoDB - Basics BE 


e DynamoDB is made of Tables 

* Each table has a Primary Key (must be decided at creation time) 
* Each table can have an infinite number of items (— rows) 

* Each item has attributes (can be added over time — can be null) 
“ Maximum size of an item is 400KB 


* Data types supported are: 
“ Scalar Types — String, Number Binary, Boolean, Null 
* Document Types — List, Map 
* Set Types — String Set, Number Set, Binary Set 


e Therefore, in DynamoDB you can rapidly evolve schemas 
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DynamoDB - Table example 


Primary Key Attributes 
| 
Partition Key Sort Key 


7791a3d6-... 4421 Win 
873e0624.... 4521 Win 
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DynamoDB — Read/Write Capacity Modes 


e Control how you manage your tables capacity (read/write throughput) 


“ Provisioned Mode (default) 
* You specify the number of reads/writes per second 
* You need to plan capacity beforehand 
* Pay for provisioned Read Capacity Units (RCU) & Write Capacity Units (WCU) 
* Possibility to add auto-scaling mode for RCU & WCU 


* On-Demand Mode 
* Read/writes automatically scale up/down with your workloads 
* No capacity planning needed 
e Pay for what you use, more expensive ($$$) 


* Great for unpredictable workloads, steep sudden spikes 


o5'snjnuin2e3ep"MMM »[oJee|A eueudeis © NOILRSIHISIG 803 LON 


© Stephane Maarek 


DynamoDB Accelerator (DAX) e 
Application TT 


* Fully-managed, highly available, seamless in- | 


memory cache for DynamoDB 


* Help solve read congestion by caching 


“ Microseconds latency for cached data 


* Doesn't require application logic modification sech 
(compatible with existing DynamoDB APls) LX 


“5 minutes [ TL for cache (default) 


B 
D 
Du 
«d 
SE 
C || 
e. d 
D 
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DynamoDB Accelerator (DAX) vs. ElastiCache 


Ka Amazon 
= ElastiCache 


Store Aggregation Result 


LJ 


C=) 
Application 


- Individual objects cache 
- Query & Scan cache 


= ` Amazon 
Gr Si DynamoDB 


DynamoDB Accelerator (DAM) 
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DynamoDB — Stream Processing DUA] 


* Ordered stream of tem-level modifications (create/update/delete) in a table 


* Use cases: 
* React to changes in real-time (welcome email to users) 
* Real-time usage analytics 
* Insert into derivative tables 
* Implement cross-region replication 
e Invoke AWS Lambda on changes to your DynamoDB table 


DynamoDB Streams Kinesis Data Streams (newer) 
e 24 hours retention * | year retention 
* Limited # of consumers e High # of consumers 
e i i * Process using AWS Lambda, Kinesis Data 
Do Stream em er Analytics, GE Data Firehose, AWS Glue 


Streaming ETL... 
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DynamoDB Streams 


nn MN SNP NNNM ı messaging, notifications 

! Processing Layer : Amazon SNS 
| DynamoDB : 
: KCL Adapter : 


filtering, transforming, ... BE 
DDB Table 


DE | Lambda == 
[ ] create/update/delete ee LEM 
=> DCH E 
Application Table DynamoDB analytics Amazon 


Streams 


Redshift 


archiving Je WE 


Kinesis Data Kinesis Data 
Streams Firehose 
indexing sl Amazon 
IQ OpenSearch 
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————— — —————— 
BEI GLOBAL TABLE 
Table Table 
US-EAST-1 AP-SOUTHEAST-2 
two-way 
[E jamani replication m| 
LIL I OC 
UL" UL" 


“ Make a DynamoDB table accessible with low latency in multiple-regions 
* Active-Active replication 
* Applications can READ and WRITE to the table in any region 


“ Must enable DynamoDB Streams as a pre-requisite 


i 
i 
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DynamoDB — Time To Live (TTL) D arr 


Friday, September 10, 2021, 11:56:11 AM 
(Epoch timestamp: 1631274971) 


Expiration Process 


scan & 
expire items 


* Automatically delete items after an expiry €————— 


timestamp 
74686572652 1631188571 © | 


e 


e Use cases: reduce stored data by keeping only | 
current items, adhere to regulatory 
obligations, web session handling... 


delete items 


Deletion Process 
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DynamoDB — Backups for disaster recovery 


* Continuous backups using point-in-time recovery (PITR) 
e Optionally enabled for the last 35 days 
* Point-in-time recovery to any time within the backup window 
* [he recovery process creates a new table 


e On-demand backups 
* Full backups for long-term retention, until explicitely deleted 
* [Doesnt affect performance or latency 
* Can be configured and managed in AWS Backup (enables cross-region copy) 
* [he recovery process creates a new table 
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DynamoDB — Integration with Amazon 53 


* Export to 53 (must enable PITR) 
“ Works for any point of time in the last 35 days 
e Doesn't affect the read capacity of your table 
* Perform data analysis on top of DynamoDB 


= export E query 
* Retain snapshots for auditing Si © 


e ETL on top of S3 data before importing back into DynamoDB S3 Athena 
DynamoDB 


* Export in DynamoDB JSON or ION format 


* Import from S3 
e Import CSV, DynamoDB JSON or ION format import z 
e Doesn't consume any write capacity H 


e Creates a new table 


53 DynamoDB 


(.csv, .json, .ion) 


e Import errors are logged in CloudWatch Logs 
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Example: Building a Serverless API 


TT REST API " PROXY REQUESTS CRUD : 
| Deg B 
LC "el 


Client API Gateway Lambda DynamoDB 
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AWS API Gateway 


e AWS Lambda + API Gateway: No infrastructure to manage 
“ Support for the WebSocket Protocol 

e Handle API versioning (vl, v2...) 

* Handle different environments (dev, test, prod...) 

* Handle security (Authentication and Authorization) 

* Create API keys, handle request throttling 

e Swagger / Open API import to quickly define APIs 

* Transform and validate requests and responses 

* Generate SDK and API specifications 

* Cache API responses 
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API Gateway — Integrations High Level 


* Lambda Function 
* Invoke Lambda function 
* Easy way to expose REST API backed by AWS Lambda 


e HTTP 
* Expose HTTP endpoints in the backend 
* Example: internal HT TP API on premise, Application Load Balancer... 
e Why? Add rate limiting, caching, user authentications, API keys, etc... 


e AWS Service 
* Expose any AWS API through the API Gateway 
* Example: start an AWS Step Function workflow, post a message to SQS 
e Why? Add authentication, deploy publicly, rate control... 
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API Gateway — AWS Service Integration 
Kinesis Data Streams example 


store .json 
requests -- files 


API Gateway Kinesis Data Kinesis Data 


Client Streams Firehose 
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Amazon S3 
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API Gateway - Endpoint lypes 


* Edge-Optimized (default): For global clients 
* Requests are routed through the CloudFront Edge locations (improves latency) 
e The API Gateway still lives in only one region 
* Regional: 
* For clients within the same region 
* Could manually combine with CloudFront (more control over the caching 
strategies and the distribution) 
* Private: 
e Can only be accessed from your VPC using an interface VPC endpoint (ENI) 
* Use a resource policy to define access 
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API Gateway — Security 


“ User Authentication through 
* IAM Roles (useful for internal applications) 
* Cognito (identity for external users — example mobile users) 
* Custom Authorizer (your own logic) 


* Custom Domain Name HTTPS security through integration with AWS 
Certificate Manager (ACM) 
e |f using Edge-Optimized endpoint, then the certificate must be in us-east- | 
e |f using Regional endpoint, the certificate must be in the API Gateway region 
e Must setup CNAME or A-alias record in Route 53 


© Stephane Maarek 


o»'snijnuin2e3ep"WMM »[aJee|A eueudeis © NOILRSIHISIG 803 LON 


AWS Step Functions I 


e Build serverless visual workflow tO E in Progress W Succeeded W Failed M Cancelled BI Caught Error 
orchestrate your Lambda functions 


e Features: sequence, parallel, conditions, 
timeouts, error handling, ... 


e Can integrate with EC2, ECS, On-premises 
servers, API Gateway, SQS queues, etc... 


“ Possibility of implementing human approval 
feature 


“ Use cases: order fulfillment, data processing, 
web applications, any workflow 
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Amazon Cognito 


* Give users an identity to interact with our web or mobile application 


* Cognito User Pools: 
e Sign in functionality for app users 
* Integrate with API Gateway & Application Load Balancer 


* Cognito Identity Pools (Federated Identity): 
* Provide AWS credentials to users so they can access AWS resources directly 
* Integrate with Cognito User Pools as an identity provider 


e Cognito vs IAM: "hundreds of users”, "mobile users’, “authenticate with SAML” 
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Cognito User Pools (CUP) — User Features 


* Create a serverless database of user for your web & mobile apps 
e Simple login: Username (or email) / password combination 

“ Password reset 

* Email & Phone Number Verification 

e Multi-factor authentication (MFA) 

* Federated Identities: users from Facebook, Google, SAML... 
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Cognito User Pools (CUP) - Integrations 


e CUP integrates with API Gateway and Application Load Balancer 


Cognito User Pools 


ERR 


Authenticate Authenticate 


Retrieve token 


ER Cognito User Pools 


Evaluate Cognito Token 


= 


API Gateway backend Target Group 


REST API + 


v 
L Pass Token 
4 


C=) 


Application Load Balancer 
+ Listeners & Rules 
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Cognito Identity Pools (Federated Identities) 


* Get identities for "users" so they obtain temporary AWS credentials 
e Users source can be Cognito User Pools, 3% party logins, etc... 


* Users can then access AWS services directly or through API Gateway 
e The IAM policies applied to the credentials are defined in Cognito 
* They can be customized based on the user. id for fine grained control 


* Default IAM roles for authenticated and guest users 
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Cognito Identity Pools — Diagram 


m f]. Login and Get Token G E 


Social Identity Provider 


Web & Mobile => Exchange token Cognito Identity Pools 


Apolicati for temporary 
E validate SAMLA 


AWS credentials 


Direct access to AWS 


deu 


Connect 


— Cognito 


User Pools 


Private S3 Bucket  DynamoDB Table 


mmm 2 
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Cognito Identity Pools 
Row Level Security in DynamoDB 


"Version": "2012-10-17", 
"Statement": [ 
{ 
"Effect": "Allow", 
"Action": [ 
"dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", 
"dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", 
"dynamodb:BatchWriteItem" 


l, 
"Resource": [ 
"arn:aws:dynamodb:us-west-2:123456789012: table/MyTable" 


l, 


"Condition": { 


"ForAllValues:String 
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Serverless Architectures 
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Mobile application: My lodoList 


“ We want to create a mobile application with the following requirements 


* Expose as REST API with HTTPS 

e Serverless architecture 

* Users should be able to directly interact with their own folder in 53 
* Users should authenticate through a managed serverless service 

* The users can write and read to-dos, but they mostly read them 

* [he database should scale, and have some high read throughput 
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Mobile app: REST API layer 


Amazon DynamoDB 
Mobile 
client 


authenticate 


Amazon Cognito 


u105'sn(nuun9e1ep'MAWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


Mobile app: giving users access to $3 


Store/retrieve files 


Amazon S3 

v 

v 

x 

Permissions 
(ees | 
E M 
ummy 
Amazon API Gateway AWS Lambda Amazon DynamoDB 

Mobile 
client 


authenticate 
Generate temp 9 


credentials STS 


Amazon Cognito AWS STS 
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Mobile app: high read throughput, static data 


Store/retrieve files 


Amazon S3 

Z 

v 

x 

Permissions 
[ Om | 
Nu REST HTTPS (tal) invoke N Query / read [ear E 
UI 
| Amazon API Gateway AWS Lambda DAX DynamoDB 

Mobile Caching layer 
client 


Verify authentication 


authenticate 
Generate temp, 9 


credentials STS 


Amazon Cognito AWS STS 
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Mobile app: caching at the API Gateway 


Store/retrieve files 


Amazon S3 

v 

v 

— CACHING OF RESPONSES 

Permissions 
(O — | 
a REST HTTPS Query / read pean Si 
LS d 
' DAX DynamoDB 

Mobile Caching layer 
client 


authenticate 
Generate temp, 9 


credentials STS 


Amazon Cognito AWS STS 
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In this lecture 


e Serverless REST API: HTTPS, API Gateway, Lambda, DynamoDB 


“ Using Cognito to generate temporary credentials with STS to access 53 
bucket with restricted policy. App users can directly access AWS 
resources this way. Pattern can be applied to DynamoDB, Lambda... 


e Caching the reads on DynamoDB using DAX 
e Caching the REST requests at the API Gateway level 


e Security for authentication and authorization with Cognito, STS 
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Serverless hosted website: MyBlog.com 


* This website should scale globally 

“ Blogs are rarely written, but often read 

“ Some of the website is purely static files, the rest is a dynamic REST API 
e Caching must be implement where possible 

* Any new users that subscribes should receive a welcome email 


“ Any photo uploaded to the blog should have a thumbnail generated 
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Serving static content, globally 


Interaction with 
edge locations 


LJ 


C=) 


Amazon CloudFront Amazon S3 


Global distribution 


Client 
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serving static content, globally, securely 


OAC: Origin Access Control Bucket policy 
v 
* | Only authorize from 
CloudFront Distribution 


Amazon S3 


Interaction with 
edge locations 


LJ 


C=) 


Amazon CloudFront 
Global distribution 


Client 
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Adding a public serverless REST API 
OAC: Origin Access "Je Bucket policy 
Cloudfront Distribution 


Amazon S3 


Interaction with 
edge locations 


Amazon CloudFront 
Global distribution 


</> 
L => 


invoke 


7 


| Amazon API Gateway AWS Lambda DynamoDB 
Client a layer 


N Ouery / read 
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Leveraging DynamoDB Global Tables 
OAC: Origin Access Control Je Bucket policy 
* | Only authorize from 


CloudFront Distribution 


Interaction with 
edge locations 


Amazon CloudFront Amazon S3 


Global distribution 


L REST HTTPS E invoke N Ouery / read 
: 5 g 
| Amazon API Gateway AWS Lambda DynamoDB 
Client E layer Global Tables 
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User Welcome email flow 


OAC: Origin Access Control Bucket policy 
S j Only authorize from 


CloudFront Distribution 


Interaction with 


edge locations Amazon S3 


Amazon CloudFront 
Global distribution 


L REST HTTPS " invoke Query / read E 


| Amazon API Gateway AWS Lambda DAX DynamoDB 
Client Caching layer 


A Stream changes 
IAM Role 


SDK to send email 


(SI 


Amazon Simple AWS Lambda 
Email Service (SES) 


Invoke lambda 


DynamoDB 
Stream 
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Thumbnail Generation flow 


OAC: Origin Access Control Bucket policy 
* | Only authorize from 


CloudFront Distribution 


Interaction with 
edge locations Amon Lo ROK: Amazon S3 
Global distribution 


L REST HTTPS " invoke Query / read E 


L = 


Client 


Amazon API Gateway AWS Lambda DAX DynamoDB 
Caching layer 


EE ` STL 


| am \ J 


Amazon CloudFront Amazon S3 AWS Lambda Amazon S3 
Global distribution 
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Upload photos 
Transfer acceleration 
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AWS Hosted Website Summary 


“ We've seen static content being distributed using CloudFront with $3 

e The REST API was serverless, didn't need Cognito because public 

e We leveraged a Global DynamoDB table to serve the data globally 

“ (we could have used Aurora Global Database) 

e We enabled DynamoDB streams to trigger a Lambda function 

* The lambda function had an IAM role which could use SES 

e SES (Simple Email Service) was used to send emails in a serverless way 
e 53 can trigger SQS / SNS / Lambda to notify of events 
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Micro Services architecture 


e We want to switch to a micro service architecture 
e Many services interact with each other directly using a REST API 


* Each architecture for each micro service may vary in form and shape 


e We want a micro-service architecture so we can have a leaner 
development lifecycle for each service 
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Micro Services Environment 


DNS Query 


Users 
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servicel.example.com 


Amazon Route 53 


Elastic Load Balancing ECS DynamoDB 


% "Se 


service2.example.com 


HTTPS 


Amazon API Gateway AWS Lambda ElastiCache 
bali 


service3.example.com 


Elastic Load Balancing Amazon EC2 
Auto Scaling 


Amazon RDS 
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Discussions on Micro Services 


“ You are free to design each micro-service the way you want 
“ Synchronous patterns: API Gateway, Load Balancers 
e Asynchronous patterns: SQS, Kinesis, SNS, Lambda triggers (53) 


* Challenges with micro-services: 
* repeated overhead for creating each new microservice, 
* issues with optimizing server density/utilization 
* complexity of running multiple versions of multiple microservices simultaneously 
* proliferation of client-side code requirements to integrate with many separate services. 


“ Some of the challenges are solved by Serverless patterns: 
e API Gateway, Lambda scale automatically and you pay per usage 
* You can easily clone API, reproduce environments 
* Generated client SDK through Swagger integration for the API Gateway 
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Software updates offloading 


e We have an application running on EC2, that distributes software 
updates once in a while 


* When a new software update is out, we get a lot of request and the 
content is distributed in mass over the network. It’s very costly 


* We dont want to change our application, but want to optimize our cost 
and CPU, how can we do it? 
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Amazon Elastic 
File System 


Auto Scaling group 


Availability zone 1 


Availability zone 2 
Availability zone 3 


Availability zone 1 to 3 


Our application current state 
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Amazon Elastic 
File System 


Auto Scaling group 
Availability zone 2 
Availability zone 3 


Availability zone 1 to 3 


Amazon CloudFront 


Easy way to fix things! 


p 
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Why CloudFront? 


* No changes to architecture 

e Will cache software update files at the edge 

“ Software update files are not dynamic, they're static (never changing) 
* Our EC2 instances aren't serverless 

* But CloudFront is, and will scale for us 

e Our ASG will not scale as much, and we'll save tremendously in EC2 
* Well also save in availability network bandwidth cost, etc 

* Easy way to make an existing application more scalable and cheaper! 
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Databases 
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Choosing the Right Database 


“ We have a lot of managed databases on AWS to choose from 


* Questions to choose the right database based on your architecture: 


* Read-heavy, write-heavy, or balanced workload? Throughput needs? Will it 
change, does it need to scale or fluctuate during the day? 


* How much data to store and for how long? Will it grow? Average object size! 
How are they accessed? 


* Data durability? Source of truth for the data ? 

* Latency requirements? Concurrent users! 

* [Data model? How will you query the data? Joins? Structured! Semi-Structured? 
e Strong schema? More flexibility? Reporting? Search? RDBMS / NoSQL? 

* License costs? Switch to Cloud Native DB such as Aurora? 
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Database lypes 


e RDBMS (= SQL / OLIP): RDS, Aurora — great for joins 


* NoSQL database — no joins, no SQL : DynamoDB ne ElastiCache 
value pairs), Neptune (graphs), DocumentDB (for MongoDB), Keyspaces 
Apache Cassandra) 


“ Object Store: 53 (for big objects) / Glacier (for backups / archives) 

* Data Warehouse (= SQL Analytics / Bl): Redshift (OLAP), Athena, EMR 
e Search: OpenSearch (JSON) — free text, unstructured searches 

* Graphs: Amazon Neptune — displays relationships between data 

“ Ledger: Amazon Quantum Ledger Database 

* Time series: Amazon Timestream 


“ Note: some databases are being discussed in the Data & Analytics section 
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Amazon RDS — Summary 


NA 
CE) 
ec c 


Managed PostgreSQL / MySQL / Oracle / SOL Server / MariaDB / Custom 
Provisioned RDS Instance Size and EBS Volume Type & Size 


Auto-scaling capability for Storage 

Support for Read Replicas and Multi AZ 

Security through IAM, Security Groups, KMS , SSL in transit 

Automated Backup with Point in time restore feature (up to 35 days) 

Manual DB Snapshot for longer-term recovery 

Managed and Scheduled maintenance (with downtime) 

Support for IAM Authentication, integration with Secrets Manager 

RDS Custom for access to and customize the underlying instance (Oracle & SOL Server) 


Use case: Store relational datasets (RDBMS / OLIP), perform SOL queries, transactions 
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Amazon Aurora — Summary 


Compatible API for PostgreSQL / MySQL, separation of storage and compute 


Storage: data is stored in 6 replicas, across 3 AZ — highly available, self-healing, auto-scaling 
* Compute: Cluster of DB Instance across multiple AZ, auto-scaling of Read Replicas 

* Cluster: Custom endpoints for writer and reader DB instances 

e Same security / monitoring / maintenance features as RDS 

* Know the backup & restore options for Aurora 

* Aurora Serverless — for unpredictable / intermittent workloads, no capacity planning 

* Aurora Multi-Master — for continuous writes failover (high write availability) 

* Aurora Global: up to 16 DB Read Instances in each region, < | second storage replication 
* Aurora Machine Learning: perform ML using SageMaker & Comprehend on Aurora 


Aurora Database Cloning: new cluster from existing one, faster than restoring a snapshot 


* Use case: same as RDS, but with less maintenance / more flexibility / more performance / more features 
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Amazon ElastiCache — Summary 


“ Managed Redis / Memcached (similar offering as RDS, but for caches) 
e In-memory data store, sub-millisecond latency 

e Select an ElastiCache instance type (e.g., cache.m6óg.large) 

“ Support for Clustering (Redis) and Multi AZ, Read Replicas (sharding) 
e Security through IAM, Security Groups, KMS, Redis Auth 

“ Backup / Snapshot / Point in time restore feature 

e Managed and Scheduled maintenance 

* Requires some application code changes to be leveraged 


* Use Case: Key/Value store, Frequent reads, less writes, cache results for DB 
queries, store session data for websites, cannot use SQL. 
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Amazon DynamoDB — Summary 


AWS proprietary technology, managed serverless NoSQL database, millisecond latency 
Capacity modes: provisioned capacity with optional auto-scaling or on-demand capacity 

Can replace ElastiCache as a key/value store (storing session data for example, using T TL feature) 
Highly Available, Multi AZ by default, Read and Writes are decoupled, transaction capability 
DAX cluster for read cache, microsecond read latency 

Security, authentication and authorization is done through IAM 

Event Processing: DynamoDB Streams to integrate with AWS Lambda, or Kinesis Data Streams 
Global Table feature: active-active setup 

Automated backups up to 35 days with PITR (restore to new table), or on-demand backups 
Export to S3 without using RCU within the PITR window, import from S3 without using WCU 
Great to rapidly evolve schemas 


GE Serverless applications development (small documents |00s KB), distributed serverless 
cache 
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Amazon 53 — Summary 


e S3 isa... key / value store for objects 
* Great for bigger objects, not so great for many small objects 
e Serverless, scales infinitely, max object size is 5 TB, versioning capability 


deis © NOILNGINLSIG 4O3 LON 


* Tiers: 53 Standard, 53 Infrequent Access, 53 Intelligent, 53 Glacier + lifecycle policy 
“ Features: Versioning, Encryption, Replication, MFA-Delete, Access Logs... 

e Security: IAM, Bucket Policies, ACL, Access Points, Object Lambda, CORS, Object/Vault Lock 
e Encryption: SSE-S3, SSE-KMS, SSE-C, client-side, TLS in transit, default encryption 

“ Batch operations on objects using 53 Batch, listing files using 53 Inventory 

“ Performance: Multi-part upload, 53 Transfer Acceleration, 53 Select 

* Automation: 53 Event Notifications (SNS, SQS, Lambda, EventBridge) 

* Use Cases: static files, key value store for big files, website hosting 
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DocumentDB Ô mongoDE 


e Aurora is an “AVWVS-implementation” of PostgreSQL / MySQL ... 
“ DocumentDB Is the same for MongoDB (which is a NoSQL database) 


e MongoDB is used to store, query, and index JSON data 
e Similar "deployment concepts” as Aurora 
* Fully Managed, highly available with replication across 3 AZ 


e DocumentDB storage automatically grows in increments of | OGB, up to 64 TB. 


e Automatically scales to workloads with millions of requests per seconds 
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Amazon Neptune 


* Fully managed graph database 
* A popular graph dataset would be a social network 


* Users have friends 
* Posts have comments LJ 
e Comments have likes from users Ne 


* Users share and like posts... 
e Highly available across 3 AZ, with up to 15 read replicas 


“ Build and run applications working with highly connected = 
datasets — optimized for these complex and hard queries 


* Can store up to billions of relations and query the graph with 
milliseconds latency 


* Highly available with replications across multiple AZs 


* Great for knowledge graphs ee ug detection, 
recommendation engines, social networking 
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Amazon Keyspaces (for Apache Cassandra) = 
* Apache Cassandra is an open-source NoSQL distributed database 


* A managed Apache Cassandra-compatible database service 

e Serverless, Scalable, highly available, fully managed by AWS 

* Automatically scale tables up/down based on the applications traffic 

* [ables are replicated 3 times across multiple AZ 

* Using the Cassandra Query Language (COL) 

e Single-digit millisecond latency at any scale, | 000s of requests per second 
* Capacity: On-demand mode or provisioned mode with auto-scaling 

e Encryption, backup, Point-In- Time Recovery (PI TR) up to 35 days 


e Use cases: store lo! devices info, time-series data, ... 
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Amazon QLDB 


QLDB stands for "Quantum Ledger Database” 

À ledger isa book recording financial transactions 

Fully Managed, Serverless, High available, Replication across 3 AZ 

Used to review history of all the changes made to your application data over time 
Immutable system: no entry can be removed or modified, cryptographically verifiable 


QLDB JOURNAL 


| BLOCK 


STRAND [2 | De a | Ge a | e- a 
27 


25 26 
|. SEQUENCE NO. 


BLOCK HASH 


DOCUMENT REVISION ENTRIES 


e 2-3x better performance than common ledger blockchain frameworks, manipulate data using SQL 


* Difference with Amazon Managed Blockchain: no decentralization component, in accordance with 
financial regulation rules 


https://docs.aws.amazon.com/qldb/latest/developerguide/ledger-structure.html 
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Amazon | imestream 


* Fully managed, fast, scalable, serverless time series database 
Automatically scales up/down to adjust capacity 

e Store and analyze trillions of events per day 

1000s times faster & 1/10" the cost of relational databases 
Scheduled queries, multi-measure records, SQL compatibility 


* Data storage tiering: recent data kept in memory and 10 
historical data kept in a cost-optimized storage 


“ Built-in time series analytics functions (helps you identify 
patterns in your data in near real-time) o 


Encryption in transit and at rest 


1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 


A 


Use cases: lol apps, operational applications, real-time 
analytics, ... 
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Amazon | imestream — Architecture 


AWS Io ON Amazon 
° WE? E QuickSight 


Kinesis Data SS 


Du TS See 

© Prometheus 

@ telegraf” Amazon 

Timestream 
Grafana 
Kinesis Data WANGI 
Streams T 
M — > Any JDBC connection 


A ff nni] 
Amazon MSK Ez Kinesis Data Analytics 
For Apache Flink 
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Data & Analytics 
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Amazon Athena 


* Serverless query service to analyze data stored in Amazon 53 

* Uses standard SQL language to query the files (built on Presto) 
e Supports CSV, JSON, ORC, Avro, and Parquet 

* Pricing: $5.00 per TB of data scanned 


* Commonly used with Amazon Quicksight for 
reporting/dashboards 


Amazon 


Use cases: Business intelligence / analytics / reporting, analyze & Ahera 


query VPC Flow Logs, ELB Logs, Cloud Trail trails, etc... 


e Exam Tip: analyze data in S3 using serverless SQL, use Athena 


Amazon 
QuickSight 
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Amazon Athena — Performance Improvement 


* Use columnar data for cost-savings (less scan) 
* Apache Parquet or ORC is recommended 
* Huge performance improvement 
* Use Glue to convert your data to Parquet or ORC 


e Compress data for smaller retrievals (bzip2, gzip, Iz4, snappy, zlip, zstd...) 


* Partition datasets in 53 for easy querying on virtual columns 


e s3://yourBucket/path To Table 
/<PARTITION_COLUMN_NAME>=<VALUE> 
/<PARTITION_COLUMN_NAME>=<VALUE> 
/<PARTITION_COLUMN_NAME>=<VALUE> 
/etc... 


e Example: s3://athena-examples/flight/parquet/year= | 99 | /month- | /day= 1/ 
* Use larger files (> 128 MB) to minimize overhead 
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Amazon Athena — Federated Query 


* Allows you to run SQL queries across ei ee 
data stored in relational, non-relational, 53 Bucket 
object, and custom data sources (AWS Ve 
or on-premises) = es 
ElastiCache Connector) 


* Uses Data Source Connectors that run 
on AWS Lambda to run Federated Em ex 
Queries (e.g., Cloud Watch Logs, Duce DE 


HBase in EMR 


T 


Database 
(On-Premises) 


= E ü- 
Redshift B = = 


Aurora SOL Server MySQL 


DynamoDB, RDS, ...) 
e Store the results back in Amazon S3 


4 


DynamoDB 
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Redshift Overview 


e Redshift is based on PostgreSQL, but it's not used for OLTP 
e [ts OLAP — online analytical processing (analytics and data warehousing) 
e |Ox better performance than other data warehouses, scale to PBs of data 
e Columnar storage of data (instead of row based) & parallel query engine 
* Pay as you go based on the instances provisioned 

* Has a SQL interface for performing the queries 

* BI tools such as Amazon Quicksight or Tableau integrate with it 

* vs Athena: faster queries / joins / aggregations thanks to indexes 
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Redshift Cluster 


SELECT COUNT (*), ... * Leader node: for query 
FROM MY TABLE : 
GROUP BY ... planning, results 
aggregation 
JDBC/ODBC 


LLL * Compute node: for 
Amazon Redshift Cluster | performing the queries, 
| send results to leader 


* You provision the node 
size in advance 


| e You can used Reserved 
aaa S aan, Instances for cost 
savings 


er Leader Node: 


Compute Nodes: 
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Redshift — Snapshots & DR 


e Redshift has "Multi-AZ" mode for some clusters 


Snapshots are point-in-time backups of a cluster, 
stored internally in 53 


e Snapshots are incremental (only what has | 
changed Is saved) | Redshift Cluster 


e You can restore a snapshot into a new cluster | (Original) 


[Region ` 
(us-east-1) 


Take Snapshot Cluster 
Snapshot 


e Automated: every 8 hours, every 5 GB, or on a Automated 
schedule. Set retention between | to 35 days / Manual 


e Manual: snapshot is retained until you delete it 2 DE PAGAN 


is 


Region 
(eu-west-1) 


* You can configure Amazon Redshift to 
automatically copy snapshots (automated or 
manual) of a cluster to another AWS Region 


Restore Copied 
Snapshot 
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Loading data into Redshift: 
large inserts are MUCH better 


L—1 


Amazon Kinesis Amazon Redshift | 


Data Firehose Cluster | 
(through S3 copy) 


Data Firehose JDBC driver 
| AD | 
= | Without Enhanced VPC Routing | 
| Through VPC | 
| With Enhanced VPC Routing | 
(mybucket) Cluster | __ Cluster 
| Better to write 


Amazon Kinesis S3 using COPY command EC2 Instance 
! Internet 
S3 Bucket Amazon Redshift EC2 Instance Amazon Redshift 
Data in batches 


Copy customer 
from 's3://mybucket/mydata’ 
iam role 'arn:aws:iam::0123456789012:role/MyRedshi ftRole'; 
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SELECT COUNT (#4), ... 
FROM S3.EXT TABLE 
GROUP BY... 


Redshift Spectrum 


JDBC/ODBC 


ee an an aa em re em rm an zm an rm an zm zm zm an rm ama zs + 


Amazon Redshift Cluster 


‘wår Leader Node 


e Query data that is already in 
53 without loading it 


e Must have a Redshift cluster 
available to start the query 


e The query is then submitted 
to thousands of Redshift 
Spectrum nodes 
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Amazon Opensearch Service 


EI 


C 


“ Amazon OpenSearch is successor to Amazon ElasticSearch 

e In DynamoDB, queries only exist by primary key or indexes... 

“ With OpenSearch, you can search any field, even partially matches 

* It's common to use OpenSearch as a complement to another database 
e Iwo modes: managed cluster or serverless cluster 

* Does not natively support SQL (can be enabled via a plugin) 

* Ingestion from Kinesis Data Firehose, AWS lol, and CloudWatch Logs 
e Security through Cognito & IAM, KMS encryption, TLS 

e Comes with OpenSearch Dashboards (visualization) 
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OpenSearch patterns 
DynamoDB 


CRUD 


DynamoDB Table DynamoDB Stream 


API to retrieve items 


© Stephane Maarek 


Lambda Function 


Amazon OpenSearch 


Ei 


API to search items 
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OpenSearch patterns 
CloudWatch Logs 


Real time e 


Lambda Function 
(managed by AWS) 


CloudWatch Logs Subscription Filter 
CloudWatch Logs Subscription Filter 
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SHE 
pP 


Kinesis Data Firehose 


Near Real Time Gi 


a 


Amazon OpenSearch 


La 


Amazon OpenSearch 
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OpenSearch patterns | 
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Streams Streams T, 2 
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CH 

Lambda $ 

| 3 

Function D 

Kinesis Data data Lambda > 
Firehose transformation N N Function D 
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Amazon EMR 


e EMR stands for "Elastic MapReduce” 


e EMR helps creating Hadoop clusters (Big Data) to analyze and process 
vast amount of data 


* The clusters can be made of hundreds of EC2 instances 

e EMR comes bundled with Apache Spark, HBase, Presto, Flink... 
* EMR takes care of all the provisioning and configuration 

“ Auto-scaling and integrated with Spot instances 


“ Use cases: data processing, machine learning, web indexing, big data... 
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Amazon EMR — Node types & purchasing 


e Master Node: Manage the cluster, coordinate, manage health — long running 
* Core Node: Run tasks and store data — long running 
* Task Node (optional): Just to run tasks — usually Spot 


* Purchasing options: 
* On-demand: reliable, predictable, won t be terminated 
* Reserved (min | year): cost savings (EMR will automatically use if available) 
e Spot Instances: cheaper, can be terminated, less reliable 


* Can have long-running cluster, or transient (temporary) cluster 
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Amazon QuickSight 


e Serverless machine learning-powered business intelligence service to create 
interactive dashboards 


* Fast, automatically scalable, embeddable, with per-session pricing 


hd Use Cases: Business Summary Dashboard 
* Business analytics sa dl D 
* Building visualizations 
e Perform ad-hoc analysis 
* Get business insights using data 


Integrated with RDS, Aurora, 


$36,755K 


Allstate 
$639) 


Fannie Mae 


e In-memory computation using SPICE _ — (ruft 
engine if data is imported into QuickSight = maa aa a IDC 


Enterprise edition: eae uy to setup 
Column-Level security (CLS) 


Central Enterprise 


2,368 


https://aws.amazon.com/quicksight/ 


Sales Trend Orders Trend 
Sales by Industry 
ial Last90Days YoY MoM Total Orders YoY Orders MoM Orders 
= Finance 
: $4,478K 20.3496 -19.45% 71% 
' 
K 


$335K 


$2,794 
Retail Orders by State Top Customers by Sales and Profit 
N H Transpo. $5,256. 
$3,451. EI Morgan Stanley TIAA-CREF Prudent. State F. Mi 
e a e S | =- 
J J LI D LI 
$3,929k (11%) | Tech 
i $5,088K (14%) Aetna Wells Fargo 
Healthcare $436K S371K IN 
D 1 1 $2! 


$247k 


Sales vs Goal 


Q1' 2019 
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gn Integrations 


teradata. 


| Databases (JDBC) 


Aurora Redshift || 


Data Sources (AWS Services) 


ae ee ee Re ee ae ee ee ae ee — — — — — | 


Kel | © Data Sources (Imports) 
is | | ES => 
| JSON| 


Athena OpenSearch | Zen 
A NEE | 


| | Data Sources (SaaS) | 
e 4 


E gro" 
Timestream NE 3 ira | | Tbe 


c i ae p 


————— esse ses Ses sens ns sel 
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QuickSight — Dashboard & Analysis 


* Define Users (standard versions) and Groups (enterprise version) 
e These users & groups only exist within QuickSight, not IAM !! 


e A dashboard... 


* is a read-only snapshot of an analysis that you can share 
* preserves the configuration of the analysis (filtering, parameters, controls, sort) 


* You can share the analysis or the dashboard with Users or Groups 
* [o share a dashboard, you must first publish it 
* Users who see the dashboard can also see the underlying data 
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AWS Glue 


* Managed extract, transform, and load (ETL) service 
* Useful to prepare and transform data for analytics 


* Fully serverless service 


Glue ETL 
S3 Bucket 


Ansan Extract 
Amazon RDS [RPS = Tiansform Redshift 


Data Warehouse 
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AWS Glue — Convert data into Parquet format 


Glue ETL 
S3 Put Import CSV Parquet Analyze À 
7 M ©) Athena 
Input Output 
S3 Bucket S3 Bucket 


Trigger 
Glue ETL Job 


Event notifications 


On S3 PUT Lambda Function 


(EventBridge works as an alternative) 
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Glue Data Catalog: catalog of datasets V 


Amazon S3 


ROS | == 

= We | 
= Eg —À 

Amazon RDS wy ' AWS Glue 


Writes Metadata 


Data Catalog 
AWS Glue 


Data Crawler Database ` Database 


Amazon 
Redshift 
Spectrum 


Tables i! Tables ; Qs: 


| Amazon EMR 


Amazon DynamoDB 


JDBC 
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Glue — things to know at a high-level 


* Glue Job Bookmarks: prevent re-processing old data 


* Glue Elastic Views: 
* Combine and replicate data across multiple data stores using SQL 
* No custom code, Glue monitors for changes in the source data, serverless 
e Leverages a ‘virtual table" (materialized view) 


* Glue DataBrew: clean and normalize data using pre-built transformation 
* Glue Studio: new GUI to create, run and monitor ETL Jobs in Glue 


* Glue Streaming ETL (built on Apache Spark Structured Streaming): 
compatible with Kinesis Data Streaming, Kafka, MSK (managed Kafka) 
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AWS Lake Formation 


* Data lake = central place to have all your data for analytics purposes 
e Fully managed service that makes it easy to setup a data lake in days 
“ Discover, cleanse, transform, and ingest data into your Data Lake 


* |t automates many complex manual steps (collecting, cleansing, moving, 
cataloging data, ...) and de-duplicate (using ML Transforms) 


e Combine structured and unstructured data in the data lake 

* Out-of-the-box source blueprints: 53, RDS, Relational & NoSOL DB... 

* Fine-grained Access Control for your applications (row and column-level) 
* Built on top of AWS Glue 
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AWS Lake Formation 


Data Sources 


Source Crawlers 


Amazon S3 


ETL and Data Prep. 


E 


Users 


ingest 


* 


E 


Data Catalog 


Security Settings 


SS 
D 
Q 
n 
3 
= 


=---------------------y---------------------- 


| R_A 
v 


RDS Aurora 
S Access Control mem 
| AWS Lake Formation 
On-Premises Gh ee ap amem a amanea nee uen NG 
Database (SQL & NoSQL) Spa K 


Eë Data Lake 
Vy" (stored in S3) 
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AWS Lake Formation 
Centralized Permissions Example 


Data Sources 


Amazon S3 ingest = Access Control 
Column-level security | 
RA + | 
=> = | "m 
_ AWS Lake Formation Quicksigh 
RDS Aurora 


Eë Data Lake 
WW (stored in S3) 
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Kinesis Data Analytics for SQL applications 


sal | 
Statements 


Kinesis 
' Data Streams EN AWS Lambda ——» anywhere 


i Applications —> anywhere ` 


t3 Amazon S3 | 


Kinesis Amazon Redshift | 


! Kinesis 
Data Streams 


! MAH | Kinesis 


' Data Firehose 


| Kinesis | Data Analytics (COPY through 53) | 
| Data Firehose ' — for SQL Applications | 
| | | Other Firehose destinations... | 
i Sources | | Sinks 


———————— md e a an e, n a EE Ee e Er E e n 


Reference Data in S3 
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Kinesis Data Analytics (SQL application) 


* Real-time analytics on Kinesis Data Streams & Firehose using SQL 
* Add reference data from Amazon 53 to enrich streaming data 

* Fully managed, no servers to provision 

e Automatic scaling 

* Pay for actual consumption rate 

e Output: 


* Kinesis Data Streams: create streams out of the real-time analytics queries 
* Kinesis Data Firehose: send analytics query results to destinations 


* Use cases: 
e Time-series analytics 
* Real-time dashboards 
* Real-time metrics 
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Kinesis Data Analytics for Apache Flink 


e Use Flink (Java, Scala or SQL) to process and analyze streaming data 
Kinesis Data SS 


Streams 17 C 
- 5 e. 
(lil Flink 
Amazon MSK 


Kinesis Data Analytics 
For Apache Flink 


* Run any Apache Flink application on a managed cluster on AVVS 
* provisioning compute resources, parallel computation, automatic scaling 
* application backups (implemented as checkpoints and snapshots) 
* Use any Apache Flink programming features 
* Fink does not read from Firehose (use Kinesis Analytics for SQL instead) 


© Stephane Maarek 


o5'snijnuin2e3ep"MMM »[oJee|A eueudeis © NOILNAINLSIG 803 LON 


UJ 


Amazon Managed Streaming Tor Apache 
Kafka (Amazon MSK) 


e Alternative to Amazon Kinesis 
* Fully managed Apache Kafka on AWS 


* Allow you to create, update, delete clusters 

e MSK creates & manages Kafka brokers nodes & Zookeeper nodes for you 
e Deploy the MSK cluster in your VPC, multi-AZ (up to 3 for HA) 

e Automatic recovery from common Apache Kafka failures 

* Data is stored on EBS volumes for as long as you want 


e MSK Serverless 
e Run Apache Kafka on MSK without managing the capacity 
e MSK automatically provisions resources and scales compute & storage 
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Apache Kafka at a high level 


Kinesis = 


Broker 1 


loT Producers | Write to topic 
- > 
(your code) IK 
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Kinesis Data Streams vs. Amazon MSK 


Amazon MSK 


SS Kinesis Data Streams 


TE 
* | MB message size limit e | MB default, configure for higher (ex: |OMB) 
* Data Streams with Shards * Kafka Topics with Partitions 
e Shard Splitting & Merging * Can only add partitions to a topic 
e TLS In-flight encryption e PLAINTEXT or TLS In-flight Encryption 
e KMS at-rest encryption e KMS at-rest encryption 
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Amazon MSK Consumers 


NW Kinesis Data Analytics 
7H for Apache Flink 


E AWS Glue 
Streaming ETL Jobs 
Powered by Apache Spark Streaming 


Amazon MSK 


meee e rn e He en e e He e be e e e rn e e rn e e rn e be rn e e e e e rn e e rn e e rn e e rn e H 


Applications Running on 


RSR 


| Amazon EC2 ECS 
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Big Data Ingestion Pipeline 


“ We want the ingestion pipeline to be fully serverless 

“ We want to collect data in real time 

“ We want to transform the data 

“ We want to query the transformed data using SQL 

* The reports created using the queries should be in 53 


e We want to load that data into a warehouse and create dashboards 
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Big Data Ingestion Pipeline 


Q loT Devices Pull data 


Real-time | — Ingestion Ge 
very 1 minute Bucket Bucket 
. v 
trigger 
[s] 
Amazon Kinesis Data Amazon Kinesis Data Amazon Simple Storage Amazon Simple Queue AWS Lambda Amazon Athena Amazon Simple Storage 
Streams Firehose Service (S3) Service Service (S3) 


(optional) 


AWS Lambda 


Amazon QuickSight Amazon Bdshift 
(not serverless) 
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Big Data Ingestion Pipeline discussion 


e lol Core allows you to harvest data from lol devices 

* Kinesis is great for real-time data collection 

* Firehose helps with data delivery to 53 in near real-time (| minute) 

* | ambda can help Firehose with data transformations 

* Amazon 53 can trigger notifications to SQS 

* | ambda can subscribe to SQS (we could have connecter 53 to Lambda) 
e Athena Is a serverless SOL service and results are stored in 53 


* [he reporting bucket contains analyzed data and can be used by 
reporting tool such as AWS QuickSight, Redshift, etc... 
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Machine Learning 
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Amazon Rekognition 


* Find objects, people, text, scenes in images and videos using ML 
* Facial analysis and facial search to do user verification, people counting 
* Create a database of "familiar faces” or compare against celebrities 


* Use cases: 
* Labeling 
* Content Moderation 
* Text Detection 
* Face Detection and Analysis (gender age range, emotions...) 
* Face Search and Verification 
* Celebrity Recognition 
* Pathing (ex: for sports game analysis) 
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Amazon Rekognition — Content Moderation 


* Detect content that is inappropriate, unwanted, " PA 
or offensive (Image and videos) 


* Used in social media, broadcast media, 
advertising, and e-commerce situations to create SE 
a safer User experience Rekognition 


e Set a Minimum Confidence Threshold for items 
that will be flagged 


* Flag sensitive content for manual review in Confidence Level 
Amazon Augmented Al (A21) and Threshold 


* Help comply with regulations 


Optional Manual 


review in A2l 
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Amazon Iranscribe Gi 


e Automatically convert speech to text 


“ Uses a deep learning process called automatic speech recognition (ASR) to 
convert speech to text quickly and accurately 


* Automatically remove Personally Identifiable Information (PII) using Redaction 
e Supports Automatic Language Identification for multi-lingual audio 


* Use cases: 
* transcribe customer service calls 
* automate closed captioning and subtitling 
* generate metadata for media assets to create a fully searchable archive 


"Hello my name is Stéphane. 
| hope you're enjoying the course! 


> 
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Amazon Polly 


* Turn text into lifelike speech using deep learning 
* Allowing you to create applications that talk 


Hi! My name is Stéphane 
and this is a demo of Amazon Polly 
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Amazon Polly — Lexicon & SSML 


* Customize the pronunciation of words with Pronunciation lexicons 
e Stylized words: St3ph4ne => "Stephane" 
* Acronyms: AWS => "Amazon Web Services" 


e Upload the lexicons and use them in the SynthesizeSpeech operation 


* Generate speech from plain text or from documents marked up with Speech 
Synthesis Markup Language (SSML) — enables more customization 
* emphasizing specific words or phrases 
* using phonetic pronunciation 
* including breathing sounds, whispering 
* using the Newscaster speaking style 
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Amazon Iranslate 


“ Natural and accurate language translation 


“ Amazon Iranslate allows you to localize content - such as websites and 
applications - for international users, and to easily translate large 
volumes of text efficiently. 


Source language Target language 
Auto (auto) v French (fr) v 
| Hi my name is Stéphane | Bonjour, je m'appelle Stéphane. 
Portuguese (pt) v 
Oi, meu nome é Stéphane. 
Hindi (hi) v 
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Amazon Lex & Connect 


“ Amazon Lex: (same technology that powers Alexa) 
* Automatic Speech Recognition (ASR) to convert speech to text 
* Natural Language Understanding to recognize the intent of text, callers 
* Helps build chatbots, call center bots 


* Amazon Connect: 
* Receive calls, create contact flows, cloud-based virtual contact center 
* Can integrate with other CRM systems or AVVS 
* No upfront payments, 80% cheaper than traditional contact center solutions 


CER 
Phone Call call stream = invoke schedule 
Schedule an > 
Appointment [— 


Connect Lex Lambda CRM 


Intent recognized p 
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Amazon Comprehend 


For Natural Language Processing — NLP 
* Fully managed and serverless service 


* Uses machine learning to find insights and relationships in text 
* | anguage of the text 
* Extracts key phrases, places, people, brands, or events 
* Understands how positive or negative the text Is 
* Analyzes text using tokenization and parts of speech 
* Automatically organizes a collection of text files by topic 


e Sample use cases: 
* analyze customer interactions (emails) to find what leads to a positive or negative experience 
* Create and groups articles by topics that Comprehend will uncover 
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Amazon Comprehend Medical 


m 


e Amazon Comprehend Medical detects and returns useful information in 
unstructured clinical text: 
* Physician's notes 
* Discharge summaries 
e [est results 
* (Case notes 


e Uses NLP to detect Protected Health Information (PHI) — DetectPHl API 
e Store your documents in Amazon 53, analyze real-time data with Kinesis 


Data Firehose, or use Amazon Iranscribe to transcribe patient narratives 
into text that can be analyzed by Amazon Comprehend Medical. 
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Amazon SageMaker E? 


e Fully managed service for developers / data scientists to build ML models 


* |ypically, difficult to do all the processes in one place + provision servers 


e Machine learning process (simplified): predicting your exam score 


| 670 | 
E F label =o E build dip. n Train and Tune 


ML model 
years of experience in 
Appl del 
# years of experience with AWS pply mode 


Time spent on the course 
id — E — y | PASS WITH 906 | WITH 906 
New data 


Prediction 
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Amazon Forecast 


* Fully managed service that uses ML to deliver highly accurate forecasts 

* Example: predict the future sales of a raincoat 

“ 50% more accurate than looking at the data itself 

* Reduce forecasting time from months to hours 

* Use cases: Product Demand Planning, Financial Planning, Resource Planning, ... 


Historical Time-series Data: 
Product features 


Prices 

upload 
Discounts 
Website traffic 


Store locations 


Forecasting Model Future sales 
Amazon 53 Amazon Forecast GENG 


$500,000 
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Amazon Kendra 


* Fully managed document search service powered by Machine Learning 

* Extract answers from within a document (text, pdf, HTML, PowerPoint, MS Word, FAQs...) 
e Natural language search capabilities 

* Learn from user interactions/feedback to promote preferred results (Incremental Learning) 
* Ability to manually fine-tune search results (importance of data, freshness, custom, ...) 


H 


Where is the IT support desk? 


Let floor A 


* User 


Data Sources 


WM E 6 $ 


Amazon S3 Amazon RDS Google Drive MS SharePoint ! 


indexing 


| Knowledge Index 
|. (powered by ML) 


3'd party, 


MS OneDrive 


servicenow 


APNs, 
Custom 


Amazon Kendra 


=e ee ee ad et. bet il eg el 
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Amazon Personalize 


* Fully managed ML-service to build apps with real-time personalized recommendations 


* Example: personalized product recommendations/re-ranking, customized direct marketing 
e Example: User bought gardening tools, provide recommendations on the next one to buy 


“ Same technology used by Amazon.com 

* Integrates into existing websites, applications, SMS, email marketing systems, ... 

e Implement in days, not months (you don't need to build, train, and deploy ML solutions) 
* Use cases: retail stores, media and entertainment... 


LJ Websites & Apps 


L Mobile Apps 
[EA SMS 


Emails 
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read data from S3 
Amazon S3 > 
Customized personalized API 
IN > 


. real-time data integration 
Amazon Personalize API IES S 


Amazon Personalize 
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Amazon lextract €] 


* Automatically extracts text, handwriting, and data from any scanned 
documents using Al and ML 


DRIVER LICENSE 


LEA 

ID: 123456789-005 ana lyze 
NAME SURNAME > ES 
DOS 23.05.1997 155 12.03.2012 = 
SEX F ExP 12.08.2020 
CLASS DONOR © 


B 
7:7" | NANA AA MAA ANA NANA LL 


“Document ID”: “123456789-0057, 
“Name”: We 
“SEX”: ZE 


result 


“DOB”: “23.05.1997”, 


Amazon Textract 


* Extract data from forms and tables 
* Read and process any type of document (PDFs, images, ...) 


* Use cases: 
e Financial Services (e.g. invoices, financial reports) 
* Healthcare (e.g., medical records, insurance claims) 
* Public Sector (e.g., tax forms, ID documents, passports) 
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AWS Machine Learning - Summary 


* Rekognition: face detection, labeling, celebrity recognition 
* Transcribe: audio to text (ex: subtitles) 

“ Polly: text to audio 

* Translate: translations 

* Lex build conversational bots — chatbots 

* Connect: cloud contact center 

“ Comprehend: natural language processing 

e SageMaker: machine learning for every developer and data scientist 
“ Forecast: build highly accurate forecasts 

“ Kendra: ML-powered search engine 

* Personalize: real-time personalized recommendations 

* [extract detect text and data in documents 
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AWS Monitoring, Audit and 
Performance 


CloudWatch, Cloud Trail & AWS Config 
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Amazon CloudWatch Metrics CQ 


e CloudWatch provides metrics for every services in AWS 

e Metric is a variable to monitor (CPUUtlization, Networkln...) 

* Metrics belong to namespaces 

e Dimension is an attribute of a metric (instance id, environment, etc...) 
* Up to 30 dimensions per metric 

e Metrics have timestamps 


e Can create CloudWatch dashboards of metrics 
e Can create Cloud Watch Custom Metrics (for the RAM for example) 


u105'sn(nuunoe1ep'MAWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


CloudWatch Metric Streams 


; CloudWatch Metrics 
e Continually stream CloudWatch 


metrics to a destination of your choice, 
with near-real-time delivery and low 
latency. 
* Amazon Kinesis Data Firehose (and then 
its destinations) 
e 3% party service provider: Datadog, 
Dynatrace, New Relic, Splunk, Sumo 


Stream near-real-time 


Kinesis Data Firehose 


Logic... 
* Option to filter metrics to only stream m NR 
a subset of them Redshift ^ OpenSearch 
Athena 
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CloudWatch Logs 


“ Log groups: arbitrary name, usually representing an application 

“ Log stream: instances within application / log files / containers 

* Can define log expiration policies (never expire, | day to 10 years...) 
* CloudWatch Logs can send logs to: 


e Amazon 53 (exports) 
e Kinesis Data Streams 

e Kinesis Data Firehose 
e AWS Lambda 

* OpenSearch 


* Logs are encrypted by default 
e Can setup KMS-based encryption with your own keys 
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CloudWatch Logs - Sources 


e SDK, CloudWatch Logs Agent, CloudWatch Unified Agent 
* Elastic Beanstalk: collection of logs from application 

* ECS: collection from containers 

* AWS Lambda: collection from function logs 

e VPC Flow Logs: VPC. specific logs 

e API Gateway 

e Cloud Irail based on filter 

* Route53: Log DINS queries 
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oudWatch Logs Insights 


CloudWatch > Logs Insights 


Change the time Discovered Fields in beier, 
range here. your log groups. 
D 

Select log group(s) Steeg w | 2021-11-09(06:40:02) » 2021-11-09 (06:55:17) Queries 
application.log X here. © 
1 fields @timestamp, @message 4 Help 
2 | sort @timestamp desc 
3 | limit 2e 


y 
add to a dashboard. 


Queries are allowed to run for up to 15 minutes. 


Tabs for query results, 
and visualization options. 


Logs Visualization 


Export results v Add to dashboard © 


Showing 20 of 10,197 records matched © Hide histogram 


10,197 records (2.3 MB) scanned in 3.3s @ 3,091 records/s (714.9 kB/s) 


$ ill hu Mol Jan, l 


0 
06:40 06:41 06:42 06:43 06:44 06:45 06:46 06:47 06:48 06:49 06:50 06:51 06:52 06:53 06:54 06:55 
# @timestamp @message 
bai 2021-11-09T06:54:17.62.. ("Severity": "INFO", "message": "This is where the message detail would go", "IP Address": "10.30.86.98", "Timestamp": "2021-11-09T11: 
bp 2 2021-11-09T06:54:13.38. {"Severity": "INFO", "message": "This is where the message detail would go", "IP Address": "192.168.0.43", "Timestamp": "2021-11-09T11 
https://mng.workshop.aws/operations-2022/detect/cwlogs.html 
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CloudWatch Logs Insights 


Sample queries Learn more D 


> Lambda 


e Search and analyze log data stored in CloudWatch Logs — 


> CloudTrail 


e Example: find a specific IP inside a log, count occurrences of 
“ERROR in your logs... 


v Common queries 


v 25 most recently added log events 


* Provides a purpose-built query language Ero 
| limit 25 
* Automatically discovers fields from AWS services and JSON log " 
y 
events 
D. v Mme exceptions logged every 5 
* Fetch desired event fields, filter based on conditions, calculate De 
aggregate statistics, sort events, limit number of events... [ state Gun) as exceptiontoun S 
bin(5m 
e Can save queries and add them to Cloud Watch Dashboards E EE 
, i Apply 
* Can query multiple Log Groups in different AVVS accounts PAN TEN E A 
* It's a query engine, not a real-time engine pue Louer 


Apply 
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CloudWatch Logs — 53 Export 


CS 


CloudWatch Logs 
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E 


Amazon S3 


* | og data can take up to |2 hours to 
become available for export 


* The API call is CreateExport Task 


e Not near-real time or real-time... use 
Logs Subscriptions instead 
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CloudWatch Logs Subscriptions 


* Get a real-time log events from CloudVVatch Logs for processing and analysis 
“ Send to Kinesis Data Streams, Kinesis Data Firehose, or Lambda 


e Subscription Filter — filter which logs are events delivered to your destination 


real-time 
Lambda 
near 
real-time 
S3 


OpenSearch 
Service 


= logs 


CloudWatch Logs Subscription Filter Kinesis Data Firehose 


KDF KDA EC2 Lambda 


Kinesis Data Streams 
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CloudWatch Logs Aggregation 
Multi-Account & Multi Region 


ACCOUNT A CQ 
REGION 1 


CloudWatch Logs Subscription Filter 
ACCOUNT B Near 

CloudWatch Logs Subscription Filter Kinesis Data Streams Kinesis Data Firehose Amazon S3 
ACCOUNT B 


CloudWatch Logs Subscription Filter 
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CloudWatch Logs Subscriptions 


* Cross-Account Subscription — send log events to resources in a different AWS 


account (KDS, KDF) 


Account — Sender 
(111111111111) 


Account — Recipient 
(999999999999) 


logs 4 logs 
Q 


CloudWatch Subscription 
Logs Filter 


=Q 


Can be assumed 
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c: 


Kinesis Data Streams 
(RecipientStream) 
A 


Subscription 
Destination 


Destination 
Access Policy 


ee > IAM Role 
A allow PutRecord 


£ IAM Role 
"Statement": [ (Cross-Account) 
{ 
"Effect": "Allow", 
"Action": "kinesis:PutRecord", 


"Resource": "arn:aws:kinesis:us-east-1: 


999999999999: st ream/RecipientStream" 


"Version": "2012-10-17", ` : 
"Statement": [ Destination 
t Access Policy 

"bib. mi, 

"Effect": "Allow", 

"Principal": { 

"AWS": "111111111111" 
}, 


"Action": "logs:PutSubscriptionFilter", 


"Resource": "arn:aws:logs:us-east-1:999999999999; 


destination:testDestination" 
} 
] 
} 
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CloudWatch Loss for EC2 


* By default, no logs from your EC2 
machine will go to Cloud Watch 


* You need to run a CloudWatch 
agent on EC2 to push the log files 
you want 

e Make sure IAM permissions are 
correct 


e The Cloud Watch log agent can be 
setup on-premises too 
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CloudWatch Logs 


CloudWatch CloudWatch 
Logs Agent Logs Agent 


On Premise 
EC2 Instance Server 
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CloudWatch Logs Agent & Unified Agent 


* For virtual servers (EC2 instances, on-premises servers...) 
“ CloudWatch Logs Agent 


* Old version of the agent 
e Can only send to CloudVVatch Logs 


e Cloud Watch Unified Agent 
* Collect additional system-level metrics such as RAM, processes, etc... 
e Collect logs to send to Cloud Watch Logs 
* Centralized configuration using SSM Parameter Store 
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CloudWatch Unified Agent — Metrics 


* Collected directly on your Linux server / EC2 instance 


e CPU (active, guest, idle, system, user, steal) 

e Disk metrics (free, used, total), Disk IO (writes, reads, bytes, ops 

e RAM (free, inactive, used, total, cached) 

* Netstat (number of TCP and UDP connections, net packets, bytes) 
* Processes (total, dead, bloqued, idle, running, sleep) 

e Swap Space (free, used, used 76) 


e Reminder: out-of-the box metrics for EC? — disk, CPU, network (high level) 
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CloudWatch Alarms I 
Uo 


“ Alarms are used to trigger notifications for any metric 


“ Various options (sampling, %, max, min, etc...) 


e Alarm States: 
s OK 
e INSUFFICIENT DATA 
e ALARM 


* Period: 
* Length of time in seconds to evaluate the metric 
e High resolution custom metrics: 10 sec, 30 sec or multiples of 60 sec 
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CloudWatch Alarm largets 


“ Stop, Terminate, Reboot, or Recover an EC2 Instance 
* Trigger Auto Scaling Action 
“ Send notification to SINS (from which you can do pretty much anything) 


Amazon EC2 EC2 Auto Scaling Amazon SNS 
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CloudWatch Alarms — Composite Alarms 


e CloudWatch Alarms are on a single metric 

* Composite Alarms are monitoring the states of multiple other alarms 
e AND and OR conditions 

* Helpful to reduce "alarm noise" by creating complex composite alarms 


SSES ET e d re IKA, esse. 
[ 
[ 


Composite Alarm 


monitor CPU : O A ALARM 
DU 


| | | 
| CW Alarm - A | trigger 
EC2 Instance i r — GE 


" monitorlops i ` O Arar | Amazon SNS 
| Dol | 
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EC2 Instance Recovery 


e Status Check: 
e Instance status = check the EC2 VM 
e System status = check the underlying hardware 


monitor alert 


EC2 T CloudWatch Alarm SNS Topic 
StatusCheckFailed System 


| 


EC2 Instance Recovery 


* Recovery: Same Private, Public, Elastic IF metadata, placement group 
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CloudWatch Alarm: good to know 


* Alarms can be created based on CloudWatch Logs Metrics Filters 


CloudWatch | 


Metric Filter 


49 O 
(ES "DÉI | 
| CW Logs CW Alarm | 


Amazon SNS 


* To test alarms and notifications, set the alarm state to Alarm using CLI 


aws cloudwatch set-alarm-state --alarm-name "myalarm" --state-value 
ALARM --state-reason “testing purposes” 
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Amazon EventBridge 
(formerly CloudVVatch Events) 


e Schedule: Cron jobs (scheduled scripts) 


Schedule Every hour [] [] I > Trigger script on Lambda function 


e Event Pattern: Event rules to react to a service doing something 


C) Oro 


IAM Root User Sign in Event I I — 1” SNS Topic with Email Notification 


* Trigger Lambda functions, send SQS/SNS messages... 
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Amazon EventBridge Rules 


Example Destinations 


Example Source 


2 

O 

—| 

TI 

O 

AJ 

z 

i Wn 

I 1 =j 

| E 

i i i DI 

: | Le 

^ iD E BI: 

| E | E / p 
| i OU | 

| E 2 | ee ! ^ Lambda  AWSBatch ECSTask ‘4, 

EC2 Instance CodeBuild | 7 Ke Ee | E | 2 
i . . kat n i "detail-type": " nstance 1 © | 

(ex: Start Instance) (ex: failed build) | Gaps ia ce ei E- | = 

| ! Filter events - | 5o Ge = i 3 

| (optional) dei } | $ | = 

wo | e ; SNS Kinesis Data 'z 

1 || || || Q) 

S3 Event Trusted Advisor | | 6 Streams | 3 

: j ex: new Findin |  S kz MEI 

(ex: upload object) ( g) ! Amazon | e is 

| | EventBridge E: d E 

| I | | O Step CodePipeline CodeBuild ip 

| E | ! g Functions | 

| I I o 10) 

! CloudTrail Schedule orCron  ' a ra la 

1 | 1 © i| 
| : 4h | 1 © CR | 

(any API call) (ex: every 4 hours) | E- 13 

SE AB m, (m an ee m umi en Ga EE EE I G 1| —_ 

| 2 SSM EC2 Actions js 

i lo 

o 

3 
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Amazon EventBridge 


EECH EE ee- 


DATADOG 


| AWS Services | | AWS SaaS | | Custom | 

| | Default | Partners ` ` oe | Apps | Custom 

| m Event Bus | ef | vent Bus | | Event Bus 
| | vl, 42. | Aaa | | Ee 

! ———— > wë ' zendesk t » = ~~o’. C 

| N | | i 7,4 IN | ti 


* Event buses can be accessed by other AWS accounts using Resource-based Policies 


* You can archive events (all/filter) sent to an event bus (indefinitely or set period) 


* Ability to replay archived events 
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Amazon EventBridge — Schema Registry 


* EventBridge can analyze the events in 
your bus and infer the schema 


e The Schema Registry allows you to 
generate code for your application, that 
will know in advance how data is 
structured in the event bus 


e Schema can be versioned 
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aws.codepipeline@CodePipelineActionExecuti... 


Schema details 


Schema name Last modified Schema ARN 
aws.codepipeline@ Dec 1, 2019, 12:11 - 
CodePipelineAction AM GMT 


ExecutionStateChan Schema Number of Schema 
ge registry versions type 

ws.events — 1 OpenAPI 
Description 30 
Schema for eve 


nttype 
CodePipelineActionExecutionStateChange, 
published by AWS service aws.codepipeline 


Version 1 created on Dec 1, 2019, 12:11 AM GMT 


Download code bindings 
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event-bus/central-event-bus" 


Amazon EventBridge — Resource-based Policy 


e Manage permissions for a specific Event Bus 
* Example: allow/deny events from another AWS account or AWS region 


e Use case: aggregate all events from your AWS Organization in a single AWS 
account or region 


"Version": "2012-10-17", 
"Statement": [ 


{ 


QUES AWS Account QUES AWS Account 
(123456789012) (111122223333) 


"Effect": LL 1 F 
"Action": "events:PutEvents", 


"Principal": : ; 
"Resource": "arn:aws:events:us-east-1:123456789012: 


PutEvents 
NIU, 
7, IN 


Lambda function 


} 
] 


EventBridge Bus 
(central-event-bus) 
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CloudWatch Container Insights 


ECS Container EKS Container 


* Collect, aggregate, summarize metrics and logs 
from containers WU FH 


* Available for containers on... 
* Amazon Elastic Container Service (Amazon ECS) 
* Amazon Elastic Kubernetes Services (Amazon EKS) 
e Kubernetes platforms on EC2 
* Fargate (both for ECS and EK5) 


e In Amazon EKS and Kubernetes, Cloud Watch 
Insights is using a containerized version of the 
CloudWatch Agent to discover containers 


Metrics and logs 


CloudWatch 
Container Insights 
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CloudWatch Lambda Insights 


* Monitoring and troubleshooting 
solution for serverless applications 


running on AWS Lambda = REIS 

* Collects, aggregates, and summarizes MESS ERR 
system-level metrics including CPU Elo Fw pE Em — EE 
time, memory, disk, and network EpL e Fee 

* Collects, aggregates, and summarizes = |. Eee 
diagnostic Information such as cold mus ee Pan Fc? 
starts and Lambda worker shutdowns L— = 


e Lambda Insights Is provided as a 
Lambda Layer 
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CloudWatch Contributor Insights 


* Analyze log data and create time series that display 
contributor data. 
* See metrics about the top-N contributors 
* [he total number of unique contributors, and their usage. 


* [his helps you find top talkers and understand who or 
what Is Impacting system performance. 


Works for any AWS-generated logs (VPC, DNS, etc.) 


For example, you can find bad hosts, identify the 
heaviest network users, or find the URLs that generate 
the most errors. 


You can build your rules from scratch, or you can also 
use sample rules that AWS has created — leverages 
your CloudWatch Logs 


Cloud Watch also provides built-in rules that you can 
use to analyze metrics from other AWS services. 
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VPC Flow Logs 


=>) CloudWatch Logs 


Contributor Insights 


A CloudWatch 


| Top-10 IP addresses 
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CloudWatch Application Insights 


“ Provides automated dashboards that show potential problems with 
monitored applications, to help isolate ongoing Issues 


e Your applications run on Amazon EC2 Instances with select technologies only 
(Java, INET, Microsoft IIS Web Server databases...) 


* And you can use other AWS resources such as Amazon EBS, RDS, ELB, ASG, 
Lambda, SQS, DynamoDB, $3 bucket, ECS, EKS, SNS, API Gateway... 


* Powered by SageMaker 


e Enhanced visibility into your application health to reduce the time it will take 
you to troubleshoot and repair your applications 


* Findings and alerts are sent to Amazon EventBridge and SSM OpsCenter 
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CloudWatch Insights and Operational Visibility 


* CloudWatch Container Insights 
s ECS, EKS, Kubernetes on EC2, Fargate, needs agent for Kubernetes 
* Metrics and logs 


e Cloud Watch Lambda Insights 


* Detailed metrics to troubleshoot serverless applications 
e Cloud Watch Contributors Insights 
e Find “Top-N” Contributors through Cloud Watch Logs 


e Cloud Watch Application Insights 


e Automatic dashboard to troubleshoot your application and related AWS services 
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AWS Cloud Trail 


“ Provides governance, compliance and audit for your AWS Account 
e Cloud Trail is enabled by default! 


* Get an history of events / API calls made within your AWS Account by: 


e Console 

e SDK 

e CLI 

e AWS Services 


* Can put logs from Cloud Trail into CloudWatch Logs or 53 
e A trail can be applied to All Regions (default) or a single Region. 
* |f a resource is deleted in AWS, investigate Cloud [rail first! 
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Cloud Irail Diagram 


SDK 


CloudTrail Console 


— Dës 
Q Inspect & Audit 


Console EAAS 
wees 


IAM Users & EA 
IAM Roles 
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CloudWatch Logs 


S3 Bucket 
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Cloud Trail Events 


“ Management Events: 
* Operations that are performed on resources in your AWS account 
e Examples: 
* Configuring security (AM AttachRolePolicy) 
* Configuring rules for routing data (Amazon EC2 CreateSubnet) 
* Setting up logging (AWS CloudTrail CreateTrail) 
* By default, trails are configured to log management events. 
* Can separate Read Events (that don't modify resources) from Write Events (that may modify resources) 


* Data Events: 
* By default, data events are not logged (because high volume operations) 
e Amazon 53 object-level activity (ex: GetObject, DeleteObject, PutObject): can separate Read and Write Events 
e AWS Lambda function execution activity (the Invoke API) 


e CloudTrail Insights Events: 
* See next slide © 
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Cloud Irail Insights 


e Enable Cloud Trail Insights to detect unusual activity in your account: 
* inaccurate resource provisioning 
* hitting service limits 
* Bursts of AWS IAM actions 
* Gaps in periodic maintenance activity 


e Cloud Trail Insights analyzes normal management events to create a baseline 


* And then continuously analyzes write events to detect unusual patterns 
e Anomalies appear in the CloudTrail console 
* Event is sent to Amazon 53 
* An EventBridge event is generated (for automation needs) 


e 
Continous analysis generate dii 
LI > Insights Events =()- t3 S3 Bucket 
*j IN 


CloudTrail Insights 


CloudTrail Console 


LEZ 
Management Events =z 


[AN 


er EventBridge event 


[AN 
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Cloud Irail Events Retention 


e Events are stored for 90 days in Cloud Trail 
* To keep events beyond this period, log them to 53 and use Athena 


Management Events zz CloudTrail 


“rs Athena 
EE, log analyze í ) 
Y 90 days S3 Bucket 


Insights Events >O~ : l 
8 nex een tion Long-term retention 
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Amazon EventBridge — Intercept API Calls 


DeleteTable API Call 3< 


Log API call 1 event (03 alert 


DynamoDB CloudTrail Amazon 
(any API call) EventBridge 
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Amazon EventBridge + Cloud rail 


A E. API Call logs 5 20% event 


IAM CloudTrail EventBridge SNS 
AssumeRole 
User A “(A 
IAM Role 
API Call logs 20% event 
G 
AuthorizeSecurityGroupIngress | 
EC CloudTrail EventBridge SNS 


2 
it SG : 
User edit >| Security Gro 
Inbound Rules SSES SR 
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AWS Contig 


* Helps with auditing and recording compliance of your AWS resources 


* Helps record configurations and changes over time 
* Questions that can be solved by AWS Config: 


* Is there unrestricted SSH access to my security groups? 
* Do my buckets have any public access? 
* How has my ALB configuration changed over time? 


* You can receive alerts (SINS notifications) for any changes 


e AWS Config is a per-region service 
* Can be aggregated across regions and accounts 
* Possibility of storing the configuration data into 53 (analyzed by Athena) 
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Contig Rules 


e Can use AWS managed config rules (over /5) 


“ Can make custom config rules (must be defined in AWS Lambda) 
* Ex: evaluate if each EBS disk is of type gp2 
e Ex: evaluate if each EC2 instance is t2.micro 
* Rules can be evaluated / triggered: 
* For each config change 
* And / or:at regular time intervals 


* AWS Config Rules does not prevent actions from happening (no deny) 


* Pricing: no free tier, $0.005 per configuration item recorded per region, 
$0.00! per config rule evaluation per region 
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AWS Config Resource 


“ View compliance of a resource over time 


sg-077b425b1649da83e EC2 SecurityGroup © Compliant 


sg-0831434f1876c0c74 EC2 SecurityGroup À Noncompliant 


sg-09f10ed254d464f30 EC2 SecurityGroup © Compliant 


“ View configuration of a resource over time 


July 3, 2021 


14:37:44 | -| E] Configuration change 1 field change(s) 
14:33:26 t 


| E] Configuration change 0 field change(s) 


e View Cloud rail API calls of a resource over time 


^ July 3, 2021 


14:35:31 © | E] CloudTrail Event 


14:32:46 >| Œ CloudTrail Event 


14:32:45 ©-| EŒ] CloudTrail Event 
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Config Rules — Remediations 


* Automate remediation of non-compliant resources using SSM Automation 
Documents 


* Use AWS-Managed Automation Documents or create custom Automation 
Documents 
* Tip: you can create custom Automation Documents that invokes Lambda function 


* You can set Remediation Retries if the resource is still non-compliant after auto- 
remediation 


trigger Auto-Remediation Action 
(SSM Document: AWSConfigRemediation- 
RevokeUnusedIAMUserCredentials) 


expired MOS mentor 
«4 


IAM Access Key 
(NON COMPLIANT) AWS Config Retries: 5 


Y) deactivate 
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Config Rules — Notifications 


* Use EventBridge to trigger notifications when AWS resources are non- 


compliant 

| AWS Resources A monitor | | 
| Se | | 
I 6 . I | | 
KCN ve ` Á NON. COMPLIANT Im Ej 4 € 
| | | Lambda SNS ! 


sa a a os a EE aa akik AWS Config EventBridge saa a a etel 


“ Ability to send configuration changes and compliance state notifications 
to SNS (all events — use SNS Filtering or filter at client-side) 


1 
| AWS Resources i monitor 


| 14 

l Security group | trigger notification S e 
n Ut All events als 
ı (configuration changes, Admin 


tw a eka kaka eee uS c D Lo compliance state...) AWS Config 
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CloudWatch vs Cloud [rail vs Config 


e CloudWatch 
* Performance monitoring (metrics, CPU, network, etc...) & dashboards 
* Events & Alerting 
* | og Aggregation & Analysis 
e Cloud Trall 
e Record API calls made within your Account by everyone 
e Can define trails for specific resources 
e Global Service 


* Config 
e Record configuration changes 
e Evaluate resources against compliance rules 
* Get timeline of changes and compliance 
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For an Elastic Load Balancer 


e CloudWatch: 
e Monitoring Incoming connections metric 
* Visualize error codes as % over time 
e Make a dashboard to get an idea of your load balancer performance 


* Config: 
* Track security group rules for the Load Balancer 
* Track configuration changes for the Load Balancer 
* Ensure an SSL certificate is always assigned to the Load Balancer (compliance) 


e Cloud Trall: 


* Track who made any changes to the Load Balancer with API calls 
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Advanced Identity in AWS 
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Organizational Units (OU) - Examples 


Business Unit 


Management 
Account 
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Sales OU 


Retail OU 


Finance 
OU 


Sales 


Account 1 


Sales 
Account 2 


Retail 
Account 1 


Retail 
Account 2 


Finance 
Account 1 


Finance 
Account 2 


Environmental Lifecycle 


Prod OU 


Management 
Account 


Test OU 


Prod 
Account 1 


Prod 
Account 2 


Dev 
Account 1 


Dev 
Account 2 


Test 
Account 1 


Test 
Account 2 


Management 
Account 


Project-Based 


Project 1 
OU 


Project 2 
OU 


Project 3 
OU 


Project 1 
Account 1 


Project 1 
Account 2 


Project 2 
Account 1 


Project 2 
Account 2 


Project 3 
Account 1 


Project 3 
Account 2 
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AWS Organizations 


e Global service 
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* Allows to manage multiple AVVS accounts 

* [he main account is the management account 

e Other accounts are member accounts 

“ Member accounts can only be part of one organization 

* Consolidated Billing across all accounts - single payment method 

* Pricing benefits from aggregated usage (volume discount for EC2, 53...) 
“ Shared reserved instances and Savings Plans discounts across accounts 
* API is available to automate AWS account creation 


(9 Stephane Maarek 


AWS Organizations 


Root Organizational Unit (OU) 


LE Management Account 


deae nnna EE EEN 


l [Fa] ovem [Eou France H 


Member Accounts 


St ee en cc TOO ee ee a ee a dE 


eee e e He e He He e e e e e be e e a a a be e e e e Ke EE EN 


E erf it i i Sm inSain deeg mt i it a Ss ms Sim “Sl ts Egeter Zë E eg echte ei nS Sm eiert (eg ée mS im (kamad iwa “ai kan” iwan See Tk 
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AWS Organizations 


* Advantages 
e Multi Account vs One Account Multi VPC 
* Use tagging standards for billing purposes 
e Enable Cloud Trail on all accounts, send logs to central 53 account 
e Send CloudWatch Logs to central logging account 
e Establish Cross Account Roles for Admin purposes 


e Security: Service Control Policies (SCP) 
* IAM policies applied to OU or Accounts to restrict Users and Roles 
* [hey do not apply to the management account (full admin power) 
e Must have an explicit allow (does not allow anything by default — like IAM) 
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SCP Hierarchy 
FullAWSAccess SCP — ks ao. DUUM 


DenyAccessAthena SCP 


DenyRedshift SCP — OU (Prod) 
i—— B4 Account A 


AuthorizedRedshift SCP 


DenyAWSLambda SCP cé OU (HR) 
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A Management Account 


Geer, Gg tt C da a i m i o i D s RS TEE he, dq ss md ae n pese dtd aa” ian aka, ih, 


> 
[a] 
[a] 
el 
C 
= 
ect 
UJ 


prre 


Management Account 


Can do anything 
(no SCP apply) 


Account A 


Can do anything 


EXCEPT access Redshift 
(explicit Deny from OU) 


Account B 


Can do anything 
EXCEPT access Redshift 
(explicit Deny from Prod OU) 


EXCEPT access Lambda 
(explicit Deny from HR OU) 


Account C 


Can do anything 


EXCEPT access Redshift 
(explicit Deny from Prod OU) 
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SCP Examples 
Blocklist and Allowlist strategies 


"Version": "2012-10-17" ^ | * 
"Statement": [ Version": om 
{ "Statement": | 
"Sid": "AllowsAllActions' { 

SEET , 
"Action": 


"Effect": 


"Resource": "x" "Action": 


"Sid": "Deny 

"EFTECE Se 

"Action": “dynamodb: x" 
"Resource"; "x" 


More examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs manage policies example-scps.html 
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2 
O 
= 
1 1 à 
A 

IAM Conditions 
Jg 
o 
= 
aws:Sourcelp aws:ReguestedRegion = 
restrict the client IP from restrict the region the 5 
which the API calls are being made API calls are made to O 
{ { a 
"Version": "2012-10-17", "Version": "2012-10-17", D 
"Statement": [ "Statement": [ D 
{ { D 
"Effect": "Deny", "Effect": "Deny", = 
"Action": "x", "Action": ["ec2:*", "rds:*", "“dynamodb:*"], = 
"Resource": "x", "Resource": "x", m 
"Condition": 1 "Condition": 4 = 
"NotIpAddress": { "StringEquals": { n 
"aws:SourceIp'": ["192.0.2.0/24", "203.0.113.0/2: "aws ` RequestedRegion": ["eu-central-1", "eu-west-1"] € 
} i i = 
} = 
} } o. 
] DI 
] et 
} DI 
c 
3 
= 
= 
Léi 
o 
O 
3 
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IAM Conditions 


ec2:ResourceTag 
restrict based on tags 


1 
"Version": "2012-10-17", 
"Statement": [ 
1 
"Effect": "Allow", 
"Action": ["ec2:startInstances", "ec2:StopInstances"], 
"Resource": "arn:aws:ec2:us-east-1:123456789012: instance/x", 
"Condition": 4 
"StringEquals": ( 
"ec2:ResourceTag/Project": "DataAnalytics", 
"aws:PrincipalTag/Department": "Data" 
} 
} 
} 
] 
} 
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aws:MultiFactorAuthPresent 
to force MFA 


"Version": "2012-10-17", 
"Statement": [ 


1 
"Effect": "Allow", 
"Action": "ec2:x", 
"Resource": "x" 
}, 
4 
"Effect": "Deny", 
"Action": ["ec2:StopInstances", "ec2:TerminateInstances"], 
"Resource": "x", 
"Condition": 1 
"BoollfExists": ( 
"aws:MultiFactorAuthPresent": false 
} 
} 
} 
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IAM for 53 


2 

O 

besi 

Ó 

JJ 

z 

{ 4 

i , < "Version": "2012-10-17", ES 

e s3:ListBucket permission applies to eh. | = 

- 

arn:aws:s3::test O aie mete S 

Wë TP" "Action": ["s3:ListBucket"], © 

e => bucket level permission "Resource": "arn:aws:s3:::test" Hi 

i, 3 

{ = 

| | "Effect": "Allow", = 

e s3:GetObject, s3:PutObject, "Action": | z 
: "s3:PutObject", 

s3:DeleteObject applies to Dee eeh ` 

"s3:DeleteObject" = 

arn:awn:s3::test/* | ONE £ 

= : "a "Resource": "arnias:s3: cte era) = 

e => object level permission } = 

5 

i 3 

= 

a 

8 

3 
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Resource Policies & aws:PrincipalOrglD 


e aws:PrincipalOrglD can be used in any resource policies to restrict 
access to accounts that are member of an AWS Organization 


EE { 
g NE i "Version": "2012-10-17", 
AWS Organization en | 
(o-yyyyyyyyyy) { 
[ 


| (2 "Effect": "Allow", 

Zn o "Action": ["s3:PutObject", "s3:GetObject"], 
|| "n 
|| 


Resource": "arn:aws:s3:::2022-financial-data/x', 


Member Accounts l "Condition": { 
Eegeregie X 53 Bucket "StringEquals": 4 
(2022-financial-data) "aws:PrincipalOrgID": ["o-yyyyyyyyyy"] 
} 
} 
} 
A 
} 


User outside Organization 
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IAM Roles vs Resource Based Polices 


* Cross account: 
* attaching a resource-based policy to a resource (example: 53 bucket policy) 
* OR using a role as a proxy 


User Role 


Account A Account B 


Amazon S3 


User S3 Bucket 


Account A Policy 


Amazon S3 
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IAM Roles vs Resource-Based Policies 


“ When you assume a role (user, application or service), you give up your 
original permissions and take the permissions assigned to the role 


“ When using a resource-based policy, the principal doesn't have to give 
up his permissions 


e Example: User in account A needs to scan a DynamoDB table in 
Account A and dump it in an 53 bucket in Account B. 


e Supported by: Amazon 53 buckets, SNS topics, SQS queues, etc... 
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Amazon EventBridge — Security 


e When a rule runs, tt needs 


permissions on the target a, 
© 
AN 


* Resource-based policy: Lambda, EventBridge a 
SNS, SQS, CloudWatch Logs, API Rule Resource based Policy 
Gateway... e.g. Allow EventBridge 
* JAM role: Kinesis stream, Systems Ge 
Manager Run Command, ECS MAR 
task... ou 
AR 
EventBridge Kinesis 
Rule 
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IAM Permission Boundaries 


e IAM Permission Boundaries are supported for users and roles (not groups) 


* Advanced feature to use a managed policy to set the maximum permissions 
an IAM entity can get. 


À 
"Version": "2012-10-17", 
"Statement": [ 
{ 
"Effect": "Allow", "Version": "2012-10-17", 
"Action": [ "Statement": 4 
" CSS IA, "Effect": "Allow", = SE 
Example: "cloudwatch:*", = "Action": "iam:CreateUser", sed No Permissions 
"ec: *" "Resource": "*" 
JE } 
"Resource": "*" } 
} 
] 
} 
IAM Permission Boundary IAM Permissions 


Through IAM Policy 
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IAM Permission Boundaries 


e Can be used in combinations of Use cases 
AWS Organizations SCP 


e Delegate responsibilities to non 
administrators within their permission 
boundaries, for example create new IAM 
users 


Organizations | Permissions 


SCP 


* Allow developers to self-assign policies 
and manage their own permissions, while 
making sure they cant ‘escalate’ their 
privileges (— make themselves admin) 


Identity-based 


3 Effective 
policy 


permissions 


* Useful to restrict one specific user 
m of a whole account using 
rganizations & SCP) 


https://docs.aws.amazon.com/IAM/latest/UserGuide/access policies boundaries.html 
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JAM Policy Evaluation Logic 


No No 


Yes 


Final decision 
Allow 


Final decision: 
Deny 
(implicit deny) 


Final decision 


Final decision Final decision Final decision: 
Deny Deny Deny 
(explicit deny) (implicit deny) (implicit deny) 


Deny 
(implicit deny) 


Yes 


Final decision 
Deny evaluation Organizations SCPs Resource-based policies Identity-based policies IAM permissions Allow Session policies 
boundaries 
“A session principal is either a role session or an IAM federated user session. 


olicies evaluation-logic.html 
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Example IAM Policy 


e Can you perform sqs:CreateQueue! 


"Version": 
"Statement": [ 
{ 


"Action": 


e Can you perform sqs:DeleteQueue? ge 


"Resource": 


* Can you perform "Action": [ 
ec2:Describelnstances? 


IP 
"ETTect": 


"Resource": 


o»'sn|inuin9e3ep"'MMM 


UJ 
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AWS IAM Identity Center 
(successor to AWS Single Sign-On) 


“ One login (single sign-on) for all your 
“ AWS accounts in AWS Organizations 
e Business cloud applications (e.g., Salesforce, Box, Microsoft 365, ...) 
e SAML2.0-enabled applications 
e EC2 Windows Instances 


E 


* Identity providers 


TOT 

e Built-in identity store in IAM Identity Center ofo'o 
| | | 'ololo! 

e 3% party: Active Directory (AD), OneLogin, Okta... Cr 
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AWS IAM Identity Center — Login Flow 


AWS IAM Identity Center 


Sign in AWS Account (4) 


Username ng AWS Courses 


SS #783746093452 | 
[] Remember username 


AdministratorAccess Management console | Command line or programmatic access 


datacumulus-main 


#387374203361 


HIE Services | Q A @® © Frankfurt v  AdministratorAccess/stephane Y 


Console Home no Reset to default layout 


* Recently visited info 


Stéphane MAAREK 
#160803648315 


stephane-ccp 


#855174973723 


Elastic Container Service corsete Home CloudTrail 
Amazon Polly 
AWS Cost Explorer 
API Gateway 


Elastic Kubernetes Service 


Lambda ? Key Management Service 


Systems Manager B7 IAM 
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AWS IAM Identity Center 


login 


CC = 


Browser Interface 
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AWS IAM Identity Center 


E Sets 


Store / retrieve 
User identities 


: 


Active Directory 
Users & groups 
(On-premises, cloud) 


Active Directory 


IAM Identity Center 
Built-in Identity Store 


AWS Cloud 


AWS Windows 


ees EC2 


Business Cloud Apps 
box #slack | 
D || 


BE Microsoft 365 $$ Dropbox 
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Permission Set 
FullAccess 
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AWS Organization 
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i ^ Management Account 


IAM Identity Center 
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AWS IAM Identity Center SE 
Fine-grained Permissions and Assignments Cl= 


e Multi-Account Permissions 
* Manage access across AWS accounts in your AWS Organization 
* Permission Sets — a collection of one or more IAM Policies 


PAKAN e e e rm rm rm rm e ze A 


* Provide required URLs, certificates, and metadata 


1ee|N aueydais © NOILRSIHISIG HO) LON 


assigned to users and groups to define AWS access : au | = ii | 

| | E | Some | | 

* Application Assignments E EE | 
e SSO access to many SAML 2.0 business applications (Salesforce, E K Lo E 
Box, Microsoft 365, ...) | prac i Eo LG 

! JAM Role IAM Role | 


(D 

: ^ 

e Attribute-Based Access Control (ABAC) £ 
* Fine- ou permissions based on users attributes stored in mE PAURE OAA ss 
IAM Identity Center Identity Store z TE i ^ 

e Example: cost center title, locale, . gat - LS D 
* Use case: EI ne once, then modify AWS access by A (DB Admins) SN E 
changing the attributes Database IAM Identity Center = 
Admins - 

o 

o 


UJ 
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What is Microsoft Active Directory (AD)! 


“ Found on any Windows Server 


with AD Domain Services L oman Conder 
e Database of objects: User gu 
Accounts, Computers, Printers, Password 


File Shares, Security Groups 


* Centralized security 
management, create account, 
assign permissions 


* Objects are organized in trees LJ LJ LJ LJ LJ 


* A group of trees is a forest 
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AWS Directory Services 


* AWS Managed Microsoft AD th — sui 
* Create your own AD in AWS, manage users +. > i 
locally, supports MFA 
* Establish "trust" connections with your on- 
premises AD On-prem AD AWS Managed AD 
* AD Connector | Bro atk 
* Directory Gateway ek to redirect to on- : 2 
premises AD, supports MFA s ) 
e Users are managed on the on-premises AD 
On-prem AD AD Connector 


e Cannot be joined with on-premises AD 


“ Simple AD 
e AD-compatible managed directory on AWS " 


Simple AD 
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JAM Identity Center — Active Directory Setup 


“ Connect to an AWS Managed Microsoft AD (Directory Service) 


e Integration is out of the box 
IAM Identity connect sa AWS Managed 
Center [rs] Microsoft AD 
* Connect to a Self-Managed Directory 


e Create Iwo-way Trust Relationship using AWS Managed Microsoft AD 
* Create an AD Connector 


AWS Managed 
Microsoft AD 


connect two-way trust relationship mum 
» Eh > se 


4 
IAM Identity LS Active Directory 
Center e connect ` proxy am 
4——————————————————5» Hy 


Active Directory 


AD Connector t 
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AWS Control lower 


“ Easy way to set up and govern a secure and compliant multi-account 
AWS environment based on best practices 


e AWS Control Tower uses AWS Organizations to create accounts 


* Benefits: 
e Automate the set up of your environment in a few clicks 
* Automate ongoing policy management using guardrails 
* Detect policy violations and remediate them 
e Monitor compliance through an interactive dashboard 
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AWS Control Tower — Guardralls 


e Provides ongoing governance for your Control Tower environment (AWS Accounts) 
* Preventive Guardrail — using SCPs (e.g., Restrict Regions across all your accounts) 


e Detective Guardrail — using AWS Config (e.g., identify untagged resources) 


AWS Control Tower | 
Guardrail ANANG ! trigger i notify 
(Detective) L | (NON_COMPLIANT) V 


AWS Config [lie 


SNS 


monitor un-tagged 
resources 


| invoke 
Member | remediate 
Accounts (add tags) 


ee Lambda 
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ANN Security & Encryption 


KMS, Encryption SDK, SSM Parameter Store 
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Why encryption? 
Encryption in flight (SSL) 


* Data is encrypted before sending and decrypted after receiving 
e SSL certificates help with encryption (HTTPS) 
* Encryption in flight ensures no MITM (man in the middle attack) can happen 


EN aGVsbG8gd29 Eg Website 
HTTPS ybGQgZWh... (AWS) 
Lë 

U: admin 

P: supersecret 

aGVsbG8gd29 SSL Encryption SSL Decryption 

ybGQgZWh... 

r 
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aGVsbG8gd29 
ybGQgZWh... 


Le 
U: admin 
P: supersecret 
mmm | 
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Why encryption? 

Server side encryption at rest 

* Data Is encrypted after being received by the server 

e Data Is decrypted before being sent 

* |t is stored in an encrypted form thanks to a key (usually a data key) 


* The encryption / decryption keys must be managed somewhere and 
the server must have access to it 


+ eh 
— 


ata key 


AWS Service (ex: EBS) 


Lol ==» @ 


Data key 


Object 


HTTP/S 


HTTP/S 
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Why encryption? 


Client side encryption 


* Data is encrypted by the client and never decrypted by the server 
* Data will be decrypted by a receiving client 

* The server should not be able to decrypt the data 

* Could leverage Envelope Encryption 


Object Client Encryption Any store (FTP, Object Client Decryption 
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. 


Client » data key 


Client side data key 
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e 
© 
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AWS KMS (Key Management Service) 


* Anytime you hear "encryption" for an AWS service, it's most likely KMS 
* AWS manages encryption keys for us 

e Fully integrated with IAM for authorization 

* Easy way to control access to your data 

e Able to audit KMS Key usage using Cloud Trail 

“ Seamlessly integrated into most AWS services (EBS, 53, RDS, SSM...) 


* Never ever store your secrets in plaintext, especially in your code! 
e KMS Key Encryption also available through API calls (SDK, CLI) 
* Encrypted secrets can be stored in the code / environment variables 
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KMS Keys Types 


e KMS Keys is the new name of KMS Customer Master Key 
e Symmetric (AES-256 keys) 
e Single encryption key that is used to Encrypt and Decrypt 
* AWS services that are integrated with KMS use Symmetric CMKs 
* You never get access to the KMS Key unencrypted (must call KMS API to use) 


* Asymmetric (RSA & ECC key pairs) 
* Public (Encrypt) and Private Key (Decrypt) pair 
e Used for Encrypt/Decrypt, or Sign/Verify operations 
e The public key is downloadable, but you can't access the Private Key unencrypted 
e Use case: encryption outside of AWS by users who cant call the KMS API 
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AWS KMS (Key Management Service) 


* Types of KMS Keys: 
e AWS Owned Keys (free): SSE-55, SSE-SQS, SSE-DDB (default key) 
e AWS Managed Key: free (aws/service-name, example: aws/rds or aws/ebs) 
e Customer managed keys created in KMS: $1 / month 
* Customer managed keys imported (must be symmetric key): $1 / month 
e + pay for API call to KMS ($0.03 / 10000 calls) Encryption key management 


Q Owned by Amazon DynamoDB 
© AWS managed key Lea 


Key alias: aws/dynamodb. ` 


7 


“ Automatic Key rotation: | 
; © Stored in your account, 
e AWS-managed KMS Key: automatic every | year noel aid SEE 
e Customer-managed KMS Key: (must be enabled) automatic every | year 
e Imported KMS Key: only manual rotation possible using alias 
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Copying Snapshots across regions 


EBS Volume I EBS Volume I 

Encrypted (o Encrypted GK 

With KMS KMS Key A With KMS KMS Key B 
EBS Snapshot — EBS Snapshot = 
Encrypted CS Encrypted (0 
With KMS KMS Key A With KMS KMS Key B 
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KMS ReEncrypt with KMS Key B 
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KMS Key Policies 


e Control access to KMS keys, ‘similar’ to 53 bucket policies 


* Difference: you cannot control access without them 


* Default KMS Key Policy: 


* Created if you dont provide a specific KMS Key Policy 
* Complete access to the key to the root user = entire AWS account 


e Custom KMS Key Policy: 
* [Define users, roles that can access the KMS key 
* [Define who can administer the key 
* Useful for cross-account access of your KMS key 
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Copying Snapshots across accounts 


Create a Snapshot, encrypted with 


{ 
your own KMS Key (Customer "Sid": "Allow use of the key with destination account", 
does | ee 
Attach a KMS Key Policy to "AWS": “arn:aws: iam: : TARGET-ACCOUNT-ID: role/ROLENAME" 
3s 

authorize cross-account access oe 
Share the encrypted snapshot ene 
(in target) Create a copy of the “conditions 3 

| | | "StringEquals": 4 
Snapshot, encrypt It with à CMK im Ei Ba "ec2. REGION. amazonaws.com", 
your account "kms:CallerAccount": "TARGET-ACCOUNT-ID" 


Create a volume from the snapshot 


KMS Key Policy 


Soom 2 
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KMS Multi-Region Keys 


| multi-Region Replica key 


rn:aws:kms:us-west-2:111122223333: 
ey/mrk-1234abcd12ab34cd56ef1234567890ab 


A oco 


( 


multi-Region Primary key | 


( 


multi-Region Replica key 


sync 


arn:aws:kms:us-east-1:111122223333: 
key/mrk-1234abcd12ab34cd56ef1234567890ab 
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multi-Region Replica key 
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KMS Multi-Region Keys 


* Identical KMS keys in different AWS Regions that can be used interchangeably 


| 


e Multi-Region keys have the same key ID, key material, automatic rotation... 


“ Encrypt in one Region and decrypt in other Regions 


* No need to re-encrypt or making cross-Region API calls 


e KMS Multi-Region are NOT global (Primary + Replicas) 
e Each Multi-Region key is managed independently 


* Use cases: global client-side encryption, encryption on Global DynamoDB, Global Aurora 
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DynamoDB Global lables and KMS Multi- 
Region Keys Client-Side encryption 


* We can encrypt specific attributes client-side FEES MEM | 
| | KMS — | 
in our DynamoDB table using the Amazon | 
DynamoDB Encryption Client a Mic 

WI | y 

“ Combined with Global Tables, the client-side CI 2 EE BE pp am gen | 
encrypted data is replicated to other regions = attribute |" EIE OÙ (ssn) Ge | 

e If we use a multi-region key, replicated in the Client App DDB Table D AR. 
same region as the DynamoDB Global table, SEDE: 3 
then clients in these regions can use low- Replication 2 
latency API calls to KMS in their region to RTE Mee. | 

i ; ap-southeast-2 | 
decrypt the data client-side | | 
l i | | oc 

* Using client-side encryption we can protect L.] ^ "CT p gp] e 
specific fields and guarantee only decryption bom Per 
| | Client App ! DDB Table 
if the client has access to an API key | | 

^ 5; Decrypt attribute 


with replica MRK 
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Global Aurora and KMS Multi-Region Keys 


Client-Side encryption 


* We can encrypt specific attributes client-side 


in our Aurora table using the AWS 
Encryption SDK 


* Combined with Aurora Global Tables, the 
client-side encrypted data is replicated to 
other regions 


e If we use a multi-region key, replicated in the 


same region as the Global Aurora DB, then 
clients in these regions can use low-latency 
API calls to KMS m their region to decrypt 
the data client-side 


Using client-side encryption we can protect 
specific flelds and guarantee only decryption 
if the client has access to an API key, we can 
protect specific fields even from database 
admins 
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with primary MRK 


L 2. Put encrypted amazon | oo Col MRK 
= LI > 
C column (SSN) 
Client App Table 
| eus 
3. Global DB = 
Replication = 


4. Get encrypted 


L 


v 
me leg co | 
Sé (SSN) 
CS MRK 


CE) column 
Client App Table 
^ 5; Decrypt attribute 


with replica MRK 
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53 Replication = 
Encryption Considerations 5 5 


“ Unencrypted objects and objects encrypted with SSE-S3 are replicated by default 


* Objects encrypted with SSE-C (customer provided key) are never replicated 


“ For objects encrypted with SSE-KMS, you need to enable the option 
e Specify which KMS Key to encrypt the objects within the target bucket 
* Adapt the KMS Key Policy for the target key 
* An IAM Role with kms:Decrypt for the source KMS Key and kms:Encrypt for the target KMS Key 
* You might get KMS throttling errors, in which case you can ask for a Service Quotas increase 


* You can use multi-region AWS KMS Keys, but they are currently treated as 


independent keys by Amazon S3 (the object will still be decrypted and then 
encrypted) 
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AMI Sharing Process Encrypted via KMS 


AMI in Source Account is encrypted with KMS Key 
from Source Account 


Must modify the image attribute to add a Launch 
Permission which corresponds to the specified target 
AWS account 


Must share the KMS Keys used to encrypted the 
d LE AMI references with the target account 
ole 


The IAM Role/User in the target account must have 
the permissions to DescribeKey, ReEncrypted, 
CreateGrant, Decrypt 


When launching an EC2 instance from the AMI, 
optionally the target account can specify a new KMS 
key in rts own account to re-encrypt the volumes 
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QT Account- A 


QT Account B 


KMS 
dei 
Key 677» 


CL launch 
[IT] 


AMI 


EC2 Instance 
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2 

ZN = 

SSM Parameter Store | El D = 
n 

e Secure storage for configuration and secrets = 
c 

e Optional Seamless Encryption using KMS LJ Applications z 
e Serverless, scalable, durable, easy SDK a 
, , Plaintext Encrypted 2 

“ Version tracking of configurations / secrets EU ion T: a = 
e Security through IAM z 
e Notifications with Amazon EventBridge E GENIE El ii amb S 
* Integration with CloudFormation Ge : 
Decryption 2 

Service a 

2 

O 
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SSM Parameter Store Hierarchy 


e /my-department/ 


° my-app/ GetParameters or 
* dev/ GetParametersByPath API 
* db-url IN Dev Lambda 
* db-password Function 
* prod/ 


Prod Lambda 
Function 


* db-url 
* db-password IN 


* other-app/ 
e /other-department/ 


e /aws/reference/secretsmanager/secret ID in Secrets Manager 
e /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 (public) 
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Standard and advanced parameter tiers 


Standard Advanced 


Total number of parameters 10,000 100,000 
allowed 

(per AWS account and 

Region) 


Maximum size of a 4 KB 8 KB 
parameter value 


Parameter policies available No Yes 


Cost No additional charge Charges apply 


Storage Pricing Free $0.05 per advanced parameter per 
month 
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Parameters Policies (for advanced parameters) 


e Allow to assign a T TL to a parameter (expiration date) to force 
updating or deleting sensitive data such as passwords 


* Can assign multiple policies at a time 


Expiration (to delete a parameter) ExpirationNotification (EventBridge) ^ NoChangeNotification (EventBridge) 
( 


"Type" :"ExpirationNotification", Type: NGA hangeNG ALAGA 10; 
"Version":"1.0", "Version":"1.0", 


1 


"Type" :" Expiration", 
"Version":"1.0", | 
“Attributes":{ "Attributes":{ Attributes": { 


"Timestamp" :"2020-12-02T21: 34: 33.0002" "Before":"15", "After" :"20", 
} "Unit":"Days" "Unit":"Days" 
} } 
} 
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AWS Secrets Manager 


* Newer service, meant for storing secrets 

* Capability to force rotation of secrets every XX days 

* Automate generation of secrets on rotation (uses Lambda) 

e Integration with Amazon RDS (MySQL, PostgreSQL, Aurora) 
e Secrets are encrypted using KMS 


e Mostly meant for RDS integration 
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AWS Secrets Manager — Multi-Region Secrets 


* Replicate Secrets across multiple AWS Regions 
e Secrets Manager keeps read replicas in sync with the primary Secret 
* Ability to promote a read replica Secret to a standalone Secret 


* Use cases: multi-region apps, disaster recovery strategies, multi-region DB... 


us-east-1 (Primary) us-west-2 (Secondary) 
Secrets Dyan a | replicate | a wag Secrets 
Manager (8) Ban | Lise) GH Manager | 
MySecret-A | | MySecret-A | 


(primary) | | (replica) 
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AWS Certificate Manager (ACM) 


* Easily provision, manage, and deploy TLS Certificates Q 


e Provide in-flight encryption for websites (HT TPS) 


e Supports both public and private TLS certificates HTTPS 

pplication 
Load 

Balancer 


e Free of charge for public TLS certificates 
e Automatic TLS certificate renewal 


* Integrations with (load TLS certificates on) AWS Certificate Manager 
* Elastic Load Balancers (CLB, ALB, NLB) 
* CloudFront Distributions 
e APIs on API Gateway 


e Cannot use ACM with EC? (can't be extracted) 


wee ee zm e e e e e em zm zm o 


Auto Scaling group 


EC2 Instance EC2 Instance | 
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ACM — Requesting Public Certificates 


|. List domain names to be included in the certificate 
* Fully Qualified Domain Name (FQDN): corp.example.com 
* Wildcard Domain: *.example.com 


2. Select Validation Method: DNS Validation or Email validation 


e DNS Validation is preferred for automation purposes 
* Email validation will send emails to contact addresses in the WHOIS database 
e DNS Validation will leverage a CNAME record to DNS config (ex: Route 53) 


3. lt will take a few hours to get verified 


4. The Public Certificate will be enrolled for automatic renewal 
e ACM automatically renews ACM-generated certificates 60 days before expiry 
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ACM — Importing Public Certificates 


e Option to generate the certificate 
outside of ACM and then import it 


* No automatic renewal, must import a 
new certificate before expiry 


POM ahenonunkotdstss 


ACM Events: i 
Daily Certificate Expiry | 


e ACM sends daily expiration events ‘ 
starting 45 days prior to expiration 

* The # of days can be configured 
* Events are appearing in EventBridge EventBridge 


e AWS Config has a managed rule 
named acm-certificate-expiration-check 
to check for expiring certificates AWS Config 
(configurable number of days) 


! Rule check 


|| 
Rule events: Ne 
Non-compliance 
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ACM — Integration with ALB 


© Stephane Maarek 


Application Load Balancer 
With HTTP -> HTTPS redirect rule 


HTTP 


> 
Redirect to HTTPS E 
HTTPS 


provision and 
maintain TLS certs 


AWS Certificate Manager 


Auto Scaling group 


LI — 1] 


EC2 Instance EC2 Instance 


1 
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API Gateway - Endpoint lypes 


* Edge-Optimized (default): For global clients 
* Requests are routed through the CloudFront Edge locations (improves latency) 
e The API Gateway still lives in only one region 
* Regional: 
* For clients within the same region 
* Could manually combine with CloudFront (more control over the caching 
strategies and the distribution) 
* Private: 
e Can only be accessed from your VPC using an interface VPC endpoint (ENI) 
* Use a resource policy to define access 
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ACM — Integration with API Gateway 


* Create a Custom Domain Name in API Gateway 


* Edge-Optimized (default): For global clients 
* Requests are routed through the CloudFront Edge locations 
(improves latency) 
* The API Gateway still lives in only one region 
e The TLS Certificate must be in the same region as 
CloudFront, in us-east- | 
* [hen setup CNAME or (better) A-Alias record in Route 53 


* Regional: 
* For clients within the same region 


e The TLS Certificate must be imported on API Gateway, in 
the same region as the API Stage 


* [hen setup CNAME or (better) A-Alias record in Route 53 
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| CloudFront ACM 


linked 
certificate 


API Gateway 
Edge-Optimized 


(d ge B] 
</> = 
- certificate 


| API Gateway ACM 
Regional 
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AWS WAF — Web Application Firewall 


e Protects your web applications from common web exploits (Layer 7) 
* Layer 7 is HTTP (vs Layer 4 is TCP/UDP) 


* Deploy on 
“ Application Load Balancer 
e API Gateway 
* CloudFront 
e AppSync GraphQL API 
* Cognito User Pool 
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AWS WAF — Web Application Firewall 


* Define Web ACL (Web Access Control List) Rules: 
e IP Set: up to 10,000 IP addresses — use multiple Rules for more IPs 


* HTTP headers, HTTP body, or URI strings Protects from common attack - SOL 
injection and Cross-Site Scripting (XSS) 


e Size constraints, geo-match (block countries) 
* Rate-based rules (to count occurrences of events) — for DDoS protection 


* Web ACL are Regional except for CloudFront 


* A rule group is a reusable set of rules that you can add to a web ACL 
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WAF — Fixed IP while using WAF with a Load 


Balancer 
“ WAF does not support the Network Load Balancer (Layer 4) 
e We can use Global Accelerator for fixed IP and WAF on the ALB 


Application Load F 
Balancer 
gg. E Iu 
Users EC2 Instances 


Global Accelerator 
Fixed IPv4: 1.2.3.4 attached 


= WebACL 


WebACL must be in the same 
AWS WAF AWS Region as ALB 
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AWS Shield: protect from DDoS attack @ 


¢ DDoS: Distributed Denial of Service — many requests at the same time 
* AWS Shield Standard: 


e Free service that is activated for every AWS customer 


* Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other 
layer 3/layer 4 attacks 


e AWS Shield Advanced: 


e Optional DDoS mitigation service ($3,000 per month per organization) 


e Protect against more sophisticated attack on Amazon EC2, Elastic Load Balancing (ELB), 
Amazon CloudFront, AWS Global Accelerator, and Route 53 


e 24/7 access to AWS DDoS response team (DRP) 
* Protect against higher fees during usage spikes due to DDoS 


e Shield Advanced automatic application layer DDoS mitigation automatically creates, 
evaluates and deploys AWS WAT rules to mitigate layer 7 attacks 
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AWS Firewall Manager 


* Manage rules in all accounts of an AWS Organization 


e Security policy: common set of security rules 
e WAF rules (Application Load Balancer API Gateways, CloudFront) 
e AWS Shield Advanced (ALB, CLB, NLB, Elastic IR CloudFront) 
e Security Groups for EC2, Application Load BAlancer and ENI resources in VPC 
AWS Network Firewall (VPC Level) 
Amazon Route 53 Resolver DNS Firewall 
Policies are created at the region level 


* Rules are applied to new resources as they are created (good for 
compliance) across all and future accounts in your Organization 
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WAF vs. Firewall Manager vs. Shield 


NGIWA 0—o 
(o) @ @ 
AWS WAF AWS Firewall Manager AWS Shield 


e WAF, Shield and Firewall Manager are used together for comprehensive protection 
* Define your Web ACL rules in WAF 
e For granular protection of your resources, WAF alone is the correct choice 


* If you want to use AWS WAT across accounts, accelerate WAF configuration, 
automate the protection of new resources, use Firewall Manager with AWS WAF 


e Shield Advanced adds additional features on top of AWS WAF, such as dedicated 
support from the Shield Response Team (SRT) and advanced reporting. 


* |f youre prone to frequent DDoS attacks, consider purchasing Shield Advanced 
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AWS Best Practices for DDoS Resiliency 
Edge Location Mitigation (BT, BP3) 


e BPI — CloudFront 


* Web Application delivery at 
the edge 


* Protect from DDoS Common 
Attacks (SYN floods, UDP 


refl ection... AWS WAF Amazon CloudFront | 3 
e BPI — Global Accelerator | | kend E um || 
: | BP4 i i Ai 
“ Access your application from | Vit NNI 
the edge S (E) j Xo i 1 Auto Scaling group | 
* Integration with Shield for Amazon API Gateway ` ||: i DA HB Ipi 
DDoS pro tec tion | Elastic Load Balancing | D Ki | | 


e Helpful if your backend is not 
compatible with CloudFront 


* BP3 — Route 53 


* [Domain Name Resolution at 
the edge 


e DDoS Protection mechanism 
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AWS Best Practices for DDoS Resiliency 
Best pratices for DDoS mitigation 


“ Infrastructure layer defense (BPI, 
BP3, BP6) 


e Protect Amazon EC2 against high 
traffic 


* That includes using Global 
Accelerator, Route 53 


CloudFront, Elastic Load Balancing H AWSWAT m ud 
* Amazon EC2 with Auto Scaling | : E || 
(BP7) BP3 BP4 E | 
+ rs scale in case of sudden o (Fl | : è — | Auto seating group ! 1| | 
traffic Surges includin a flash Amazon Route 53 Amazon API Gateway | : | : ! t E : | 
crowd or a DDoS attack | - | dicc A : [^ E 


* Elastic Load Balancing (BP6) 


* Elastic Load Balancing scales with 
the traffic increases and will 
distribute the traffic to many EC2 
Instances 
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Users AWS Global Accelerator 
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AWS Best Practices for DDoS Resiliency 
Application Layer Defense 


* Detect and filter malicious web 
requests (BP I, BP2) 


CloudFront cache static content and 
serve it from edge locations, protecting 
your backend 


e AWS WAT is used on top of 
CloudFront and Application Load 
Balancer to filter and block requests 
based on request signatures 


e WAF rate-based rules can BPA 
automatically block the IPs of bad 


actors (E d 


* Use managed rules on WAF to block Amazon Route 53 Amazon API Gateway 
attacks based on IP reputation, or 
block anonymous Ips 


< CloudFront can block specific 
geographies 


* Shield Advanced (BP 1, BP2, BP6) 


e Shield Advanced automatic application 
layer DDoS mitigation automaticall 
creates, evaluates and deploys AW 
WAF rules to mitigate layer 7 attacks 


AWS WAF Amazon CloudFront 


|| 


Users AWS Global Accelerator 
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AWS Best Practices for DDoS Resiliency 
Attack surface reduction 


e Obfuscating AWS resources (BPI, 
BP4, BP6) 


* Using CloudFront, API Gateway, Elastic 
Load Balancing to hide your backend 
resources (Lambda functions, EC2 
instances) 


* Security groups and Network ACLs 
p 7 E P 


AWS WAF Amazon CloudFront 


|| 


* Use security groups and NACLs to 


filter traffic based on specific IP at the ep BP6 
subnet or ENI-level 453) ( |) | i i 
e Elastic IP are protected by AWS Shield Nem reco | E i 


Advanced ! | Elastic Load Balancing 


* Protecting API endpoints (BP4) 
* Hide EC2, Lambda, elsewhere 


* Edge-optimized mode, or CloudFront Users AWS Global Accelerator 
+ T mode (more control for 
DDoS) 


e WAF + API Gateway: burst limits, 
headers filtering, use API keys 
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Amazon GuardDuty 


e Intelligent Threat discovery to protect your AWS Account 
e Uses Machine Learning algorithms, anomaly detection, 3 party data 
* One click to enable (30 days trial), no need to install software 
* Input data includes: 
e CloudTrail Events Logs — unusual API calls, unauthorized deployments 
e CloudIrail Management Events — create VPC subnet, create trail, ... 
e CloudTrail S3 Data Events — get object, list objects, delete object, ... 
* VPC Flow Logs — unusual internal traffic, unusual IP address 


e DNS Logs — compromised EC instances sending encoded data within DNS queries 
* Optional Features — EKS Audit Logs, RDS & Aurora, EBS, Lambda, 53 Data Events... 


* Can setup EventBridge rules to be notified in case of findings 
* EventBridge rules can target AWS Lambda or SNS 
* Can protect against CryptoCurrency attacks (has a dedicated "finding" for it) 
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Amazon GuardDuty 


VPC Flow Logs H 
CloudTrail Logs 


DNS Logs (AWS DNS) 


eo 
Z 
Lë 


GuardDuty 


Optional Features 


"EN 
K N 


S3 Logs EBS Volumes 


mnm B 


EventBridge Lambda 


Lambda Network RDS & Aurora 
Activity Login Activity 


Q EKS Audit Logs & 
Runtime Monitoring 
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Amazon Inspector 


SSM Agent 


* Automated Security Assessments Lambda 
Function 


* For EC2 instances 
* Leveraging the AWS System Manager (SSM) agent 
* Analyze against unintended network accessibility 
* Analyze the running OS against known vulnerabilities Amazon — 
* For Container Images push to Amazon ECR Inspector 
* Assessment of Container Images as they are pushed Amazon ECR 


* For Lambda Functions Container Imag 


* |dentifies software vulnerabilities in function code and package 
dependencies 


* Assessment of functions as they are deployed 


assessment run state 
& findings 


* Reporting & integration with AWS Security Hub 
e Send findings to Amazon Event Bridge 


& 


EventBridge 


Security Hub 
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What does Amazon Inspector evaluate? 


* Remember: only for EC2 instances, Container Images & Lambda functions 


* Continuous scanning of the infrastructure, only when needed 


* Package vulnerabilities (EC2, ECR & Lambda) — database of CVE 
* Network reachability (EC2) 


* A risk score is associated with all vulnerabilities for prioritization 
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AWS Macie DA 


* Amazon Macie is a fully managed data security and data privacy service 
that uses machine learning and pattern matching to discover and 
protect your sensitive data in AWS. 


e Macie helps identify and alert you to sensitive data, such as personally 
identifiable information (PII) 


analyze notify integrations 
» ) » 
S3 Buckets Macie Amazon 
Discover Sensitive Data (PII) EventBridge 
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Virtual Private Cloud (VPO) 
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VPC Components Diagram u 


Salts esi lal amar lead aaa ad da aaa a aaa E an a a aa a ak aa a aana a E Kai a aa NA aan aa ka aaa a aa a Ba aaa aa aaa S -DynamoDB 


ge e ee 


Internet || ` ed "ne | à i 
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Security Group 


[172.16.0.0] à 


172.16.1.0 = 
Private EC2 Instance 


Route 
Table 


NAT Gateway 
Transit 
Gateway 


Security Group Security Group 


= 


Private EC2 Instance 


VPC Peeting Public EC2 Instance 


Connections 


—Ó———————————— 


Direct Connect 
Connectidn 
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Understanding CIDR — IPv4 


e Classless Inter Domain Routing — a method for allocating IP addresses 
“ Used in Security Groups rules and AWS networking in general 


IP version v Type v Protocol v Port range v Source Description 


IPv4 SSH TCP 22 122.149.196.85/32 - 
IPv4 HTTP TCP 80 0.0.0.0/0 = 


* They help to define an IP address range: 
e We've seen WW.XX.YY.ZZ/32 => one IP 
e We've seen 0.0.0.0/0 => all IPs 
e But we can define:192.168.0.0/26 =>192.168.0.0 — 192.168.0.63 (64 IP addresses) 
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Understanding CIDR — IPv4 


e A CIDR consists of two components 


* Base IP 
e Represents an IP contained in the range (XX. XX. XX.XX) 
e Example: 10.0.0.0, 122.168.0.0, ... 


“ Subnet Mask 
* Defines how many bits can change in the IP 
¢ Example: 70, /24, 132 
* Can take two forms: 
e /8 & 255.0.0.0 
e /16 &» 25525500 
e [24 €» 255.255.255.0 
e [32 © 255.255.255.255 
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Understanding CIDR — Subnet Mask 


e The Subnet Mask basically allows part of the underlying IP to get 
additional next values from the base IP 


EC. WA E /32 => allows for 1 iP (2°) ————— 192.168.0.0 


EEJ. E MON /31 => allows for 2 IP (21) —————> 192.168.0.0 -> 192.168.0.1 E Quick Memo 
Les EE /30 => allows for 4 IP (22) ——————» 192.168.0.0 -> 192.168.0.3 = 


M /29 => allows for 8 IP (23) ——+ 192.168.0.0 -> 192.168.0.7 Octets 


A. 

ES. 

KEH. Fa? 

(192 A 168 NCMO 

ECI ES. el EH /28 => allows for 16 IP (24) —————» 192.168.0.0 -> 192.168.0.15 
[192 À 168 À 0 

[192 A 168 À 0 

192 
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DR] /27 => allows for 32 IP (25) ————> 192.168.0.0 -> 192.168.0.31 
OM /26 => allows for 64 IP (25) ————> 192.168.0.0 -> 192.168.0.63 [32 — no octet can change 
BON. ROM /25 => allows for 128 IP (27) ———— 192.168.0.0 -> 192.168.0.127 /24 — last octet can change 


EFA. EC E MON /24 => allows for 256 IP (28) ———— 192.168.0.0 -> 192.168.0.255 /16 — last 2 octets can change 
/8 - last 3 octets can change 


/0 — all octets can change 


EA. EC ES E /16 => allows for 65,536 IP (216) —— 192.168.0.0 -> 192.168.255.255 


EA Er EH. EH /0 => allows for All IPs. ———————— 0.0.0.0 -> 255.255.255.255 
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Understanding CIDR — Little Exercise 


e |92.168.0.0/24 =... ? 

e 192.168.0.0 — 192.168.0.255 (256 IPs) 
e |92.168.0.0/16 =... ? 

e |92.168.0.0 — 192.168.255.255 (65,536 IPs) 
e |34.56./8.123/32 =... ? 

e Just 134.56.78.123 


e 0.0.0.0/0 
e All IPs! 


e When in doubt, use this website https://www.ipaddressguide.com/cidr 
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Public vs. Private IP (IPv4) 


* The Internet Assigned Numbers Authority (IANA) established certain 
blocks of IPv4 addresses for the use of private (LAN) and public 
(Internet) addresses 


* Private IP can only allow certain values: 
e 10.0.0.0 — 10.255.255.255 (10.0.0.0/8) € in big networks 
e |72.16.0.0 — 172.31.255.255 (172.16.0.0/12) € AWS default VPC in that range 
e 192.168.0.0 — 192.168.255.255 (192.168.0.0/16) € e.g., home networks 


e All the rest of the IP addresses on the Internet are Public 


© Stephane Maarek 
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Default VPC Walkthrough 


e All new AWS accounts have a default VPC 


e New EC? instances are launched into the default VPC if no subnet is 
specified 


* Default VPC has Internet connectivity and all EC2 instances inside it 
have public IPv4 addresses 


e We also get a public and a private IPv4 DNS names 
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VPC in AWS — IPy4 


e VPC = Virtual Private Cloud 
* You can have multiple VPCs in an AWS region (max. 5 per region — soft limit) 


e Max. CIDR per VPC is 5, for each CIDR: 
e Min. size is /28 (16 IP addresses) 
* Max. size is /16 (65536 IP addresses) 


e Because VPC is private, only the Private IPv4 ranges are allowed: 
* 1000.0 = 10255,25555 (10.0.0.0/8) 
s 172.16.0.0 — 172.31.255.255 (172.1 6.0.0/1 2) 
e 192.168.0.0 = 192.168.255.255 (192.168.0.0/16) 


e Your VPC CIDR should NOT overlap with your other networks (e.s. corporate 


© Stephane Maarek 
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Availability Zone 
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Adding Subnets 
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VPC — Subnet (IPv4) a 


* AWS reserves 5 IP addresses (first 4 & last 1) in each subnet 


* These 5 IP addresses are not available for use and cant be assigned to an 
EC2 instance 


e Example: if CIDR block 10.0.0.0/24, then reserved IP addresses are: 
* [0.0.00 — Network Address 

|0.0.0.1 — reserved by AWS for the VPC router 

|0.0.0.2 — reserved by AWS for mapping to Amazon-provided DNS 

|0.0.0.3 — reserved by AWS for future use 


|0.0.0.255 — Network Broadcast Address. AWS does not support broadcast in a VPC, 
therefore the address is reserved 


* Exam Tip, if you need 29 IP addresses for EC2 instances: 
* You cant choose a subnet of size /27 (32 IP addresses, 32 — 5 = 27 < 29) 
* You need to choose a subnet of size /26 (64 IP addresses, 64 — 5 = 59 > 29) 
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Internet Gateway (IGVV) M 


e Allows resources (e.g., EC2 instances) in aVPC connect to the Internet 
* |t scales horizontally and is highly available and redundant 

“ Must be created separately from aVPC 

e One VPC can only be attached to one IGW and vice versa 


e Internet Gateways on their own do not allow Internet access... 


e Route tables must also be edited! 
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Adding Internet Gateway 


Public Subnet Private Subnet 


Availability Zone 
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Availability Zone 
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Editing Route lables 
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Internet 


Bastion Hosts Q 


e We can use a Bastion Host to SSH into 
our private EC2 instances 


* The bastion is in the public subnet which is 


then connected to all other private subnets NE 

* Bastion Host security group must allow mE 
inbound from the internet on port 22 from 305 tenes 
restricted CIDR, for example the public (Bastion Host) 
CIDR of your corporation 

" EX rivate Subnet 

“ Security Group of the EC2 Instances must green — 

allow the Security Group of the Bastion ML LM 


Host, or the private IP of the Bastion host 
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NAT Instance (outdated, but still at the exam) 


. Server 
e NAT = Network Address Translation | (IP: 50.60.4.10) 
* Allows EC2 instances in private subnets to D Src:50.60410 | 

connect to the Internet 


deis © NOILNGINLSIG 4O3 LON 


Dest.: 50.60.4.10 


e Must be launched in a public subnet 
e Must disable EC2 setting: Source / B oe 
destination Check Security Group (NATInstance-SG) 
| | EIP O> 
e Must have Elastic IP attached to it (IP: 12.34.56.78) i E NA 


Dest.: 50.60.4.10 


“ Route lables must be configured to route EE 
traffic from private subnets to the NAT Dest.: 10.0.0.20 emm 


el Private Subnet 


Instance 
ii — 1j 


IP: 10.0.0.10 IP: 10.0.0.20 
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Security Group 
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Availability Zone 


Security Group 
Security Group 


NAT Instance 


Public EC2 Instance 


NAT Instance 
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Internet 


NAT Instance — Comments 


* Pre-configured Amazon Linux AMI is available 
* Reached the end of standard support on December 31, 2020 


* Not highly available / resilient setup out of the box 
* You need to create an ASG in multi-AZ + resilient user-data script 


e Internet traffic bandwidth depends on EC instance type 


* You must manage Security Groups & rules: 


“ inbound: 

* Allow HTTP / HTTPS traffic coming from Private Subnets 

* Allow SSH from your home network (access is provided through Internet Gateway) 
e Outbound: 

e Allow HTTP / HTTPS traffic to the Internet 
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NAT Gateway 


* AWS-managed NAT, higher bandwidth, high availability, no administration 
* Pay per hour for usage and bandwidth 
e NAT GW is created in a specific Availability Zone, uses an Elastic IP 


* Cant be used by EC2 instance in the same subnet (only from other 
subnets) 


* Requires an IGW (Private Subnet => NATGW => IGW) 
“5 Gbps of bandwidth with automatic scaling up to 45 Gbps 
* No Security Groups to manage / required 
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Security Group 
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Availability Zone 


NAT Gateway 
Security Group 


Public EC2 Instance 


NAT Gateway 
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Internet 


NAT Gateway with High Availability ES 


Internet 


e NAT Gateway is resilient withina mw | 
single Availability Zone Bl Region 


(GAN Internet 


| U/ Gateway 


e Must create multiple NAT Pf pe ls PANA | 
Gateways in multiple AZs for | | 
fault-tolerance EN E T 

| NAT Gateway i | NAT Gateway 

* There is no cross-AZ failover | ! Be |. | | E Lar 

needed because if an AZ goes 1E D E T} 


down it doesn't need NAT | ! : ! Slants 
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NAT Gateway vs. NAT Instance 
ee Kee Se 


Availability Highly available within AZ (create in another AZ) Use a script to manage failover between instances 
Bandwidth Up to 45 Gbps Depends on ECH instance type 

Maintenance Managed by AWS Managed by you (e.g., software, OS patches, ...) 
Cost Per hour & amount of data transferred Per hour, EC2 instance type and size, + network $ 


Public IPv4 WS WS 
Private IPv4 wé wë 
Security Groups x M 
Use as Bastion Host? x S 


More at: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html 
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Security Groups & NACLs 


Incoming Request Outgoing Request 


LC) LD 


| fa] Subnet | [fl Subnet 


NACL Inbound | SG Inbound Security Group NACL Outbound | SG Outbound Security Group 
Rules | i Rules Rules 5 | Rules 
KE : i KE SE ! KE 
* YE i i ^ JE vo | | VE 
1 | i 2 | i 
i- i | - i 
1 © ı 1 UO ı 
; <<: 
a Lue 
NACL Outbound!  ' NACL Inbound | 1 bound Allowed 
Rules (Stateless) ! ‘Outbound Allowed EC2 Instance Rules (Stateless) | ee OE EC2 Instance 
l ) ! ! (Stateful) 
xo | i (Stateful) x E | l 
4L— | 3 | 3 wi | ! ! 
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Network Access Control List (NACL) sala 


* NACL are like a firewall which control traffic from and to subnets 
* One NACL per subnet, new subnets are assigned the Default NACL 
* You define NACL Rules: 


e Rules have a number (1-32/66), higher precedence with a lower number 
* First rule match will drive the decision 


e Example: if you define # 100 ALLOW 10.0.0.10/32 and #200 DENY 10.0.0. 10/32, the IP 
address will be allowed because 100 has a higher precedence over 200 


* [he last rule is an asterisk (*) and denies a request in case of no rule match 
* AWS recommends adding rules by increment of 100 


* Newly created NACLs will deny everything 
* NACL are a great way of blocking a specific IP address at the subnet level 
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Availability Zone 


NAT Gateway 
Security Group 
Public EC2 Instance 


NACLs 


x 
9 
ken 
o 
© 
= 
o 
= 
c 
E 
a 
D 
EEN 
Ka 
©) 


Internet 


Default NACL 


* Accepts everything inbound/outbound with the subnets it's associated with 
* Do NOT modify the Default NACL, instead create custom NACLs 


Default NACL for a VPC that supports IPv4 


Inbound Rules 


100 All IPv4 Traffic All 0.0.0.0/0 ALLOW 
Se All IPv4 Traffic All All 0.0.0.0/0 DENY 


Outbound Rules 


100 All IPv4 Traffic All 0.0.0.0/0 ALLOW 


É All IPv4 Traffic All All 0.0.0.0/0 DENY 
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Ephemeral Ports 


* For any two endpoints to establish a connection, they must use ports 
* Clients connect to a defined port, and expect a response on an ephemeral port 


* Different Operating Systems use different port ranges, examples: 
e IANA & MS Windows 10 = 49152 — 65535 
e Many Linux Kernels => 32768 — 60999 


— Tov | Dest. IP | est. Port V Src.IP | Src. Port | Ê 
. | est. est. For rc. rc. For | 
Client | |. MB Bd Web Server 
| | IP: 55.66.77.88 


IP: 11.22.33.44 
Ephemeral Port: 50105 Fixed Port: 443 


Response 


f —X——————————————————————————— —Án——————————————————ro——— n 
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NACL with Ephemeral Ports 


VPC 
Web Tier 


Web Subnet (Public) 


Client i 


Ephemeral 
Port 
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= 
D 
T 


j] TOWN 


' Allow Outbound TCP 
; On port 3306 


h 


t 


To DB Subnet CIDR 


Allow Inbound TCP 
On port 1024-65535 
From DB Subnet CIDR 


tps://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-port 


Database Tier 
DB Subnet (Private) 


Allow Inbound TCP 
On port 3306 
From Web Subnet CIDR 


Amazon 


RDS = 


DB Instance 
Port 3306 


Allow Outbound TCP 
On port 1024-65535 
To Web Subnet CIDR 


S 
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Create NACL rules for each 
target subnets CIDR 


VPC 
Web Tier 
eb Subnet - À (Public) | | 


I || 

I || 

I || 

| 

mmu 

I || 

I 

I 1 

|| 1 
| 

| 

I 

I 


Web Subnet - B (Public): 


A. 


D + 
D 4 
= | 
Du 
1 (D ! 
E: 
EN 
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Database Tier 
4 
i ‘El DB Subnet — A (Private) 


Amazon 


RDS E 


DB Instance 


Gi i DB Subnet — B (Private) 


Amazon 
RDS 


DB Instance 
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Security Group vs. NACLs 


Operates at the instance level Operates at the subnet level 

Supports allow rules only Supports allow rules and deny rules 

Stateful: return traffic is automatically allowed, Stateless: return traffic must be explicitly allowed by 
regardless of any rules rules (think of ephemeral ports) 

All rules are evaluated before deciding whether to Rules are evaluated in order (lowest to highest) when 
allow traffic deciding whether to allow traffic, first match wins 
Applies to an EC2 instance when specified by Automatically applies to all EC2 instances in the 
someone subnet that it’s associated with 


NACL Examples: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html 
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VPC Peering C» 


e Privately connect two VPCs using AWS 
network 


VPC-A 


e Make them behave as if they were in the 


same network VPC Peering 


(A-B) 
e Must not have overlapping CIDRs 
e VPC Peering connection is NOT transitive VPC Peering 
| VPC-B 
(must be established for each VPC that (^- cl 
need to communicate with one another) 
* You must update route tables in each VPC's oo 


subnets to ensure EC2 instances can 
communicate with each other 
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VPC Peering — Good to know 


“ You can create VPC Peering connection between VPCs in different AVVS 
accounts/regions 


“ You can reference a security group In a peered VPC (works cross 
accounts — same region) 


Type v Protocol v Port range V Source v 

HTTP TCP 80 sg-04991f9af3473b939 / default 

HTTP TCP 80 I / s5-027ad1f7865d4be76 
Account ID 


u105'sn(nuunoe1ep'MAWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com 


Security Group 
Private EC2 Instance 


Availability Zone 


NAT Gateway 
Security Group 


OU 
o 
= 
© 
pa] 
LO 
= 
N 
O 
Lu 
a 
Bel 
> 
D. 


VPC Peering 


c 
D 
ON 
WI 

7 E 

Y z op 2 S 

TON: = À m DL à = 

= D c o 

o 9 i 

m a Cc © 

[9] C SE 

À SE - 

e 9 d > 09 a 

= © 


NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com 


CloudWatch 


Security Group 
Private EC2 Instance 


Availability Zone 


NAT Gateway 
Security Group 
Public EC2 Instance 


VPC Endpoints 
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VPC Endpoints (AWS PrivateLink) 


* Every AWS service Is publicly exposed 


2 

O 

= 

Ò 

A 

= 

o 

= 

| e 
(public "PE a c REIR = 

e VPC Endpoints (powered by AWS Em: eon ven Internet lo 
PrivateLink) allows you to connect to AWS | SES E 
services using a private network instead of ` mum p 
using the public Internet | m E 

. EC2 Instance Els ENT | ia 

* Theyre redundant and scale horizontally | C ED cos E 
* They remove the need of IGW, NATGW, ... | |Blev- em 1 ri 
to access AWS Services | IS 

| | EC2 Instance i E Option 2 | - 

* |n case of issues: | EE 
| | | (APC Endpoint |: v 

e Check DNS Setting Resolution in your YPC | tY, e 

* Check Route Tables | e 

| Amazon SNS QE 5 

i llo 

3 
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Types of Endpoints 


E Region 2 
| | | | z 
e Interface Endpoints (powered by PrivateLink) | | z 
* Provisions an ENI (private IP address) as an entry | HER, Q Endpoint | = 
point (must attach a Security Group) | EC2 Instance E Beer a z 

; ! i 
e Supports most AWS services | Deeg E 
e $ per hour + $ per GB of data processed B 
Amazon SNS (E D 

CI UU UU "uv NONE TRE fo 
e Gateway Endpoints — | | = 
* Provisions a gateway and must be used as a BR Region = 
target in a route table (does not use security | E 
groups) Private Subnet = 
e Supports both 53 and DynamoDB — a s 
e Free EC2 instanced E — (9 (Gates ^ 

n 

a | B 

c 
Amazon E 

DynamoDB 
D 
© Stephane Maarek 3 


Gateway or Interface Endpoint for 53! 


“ Gateway is most likely going to be 
preferred all the time at the exam 


* Cost: free for Gateway, $ for 
interface endpoint 


e Interface Endpoint is preferred 
access Is required from on- 
premises (Site to Site VPN or 
Direct Connect), a different VPC 
or a different region 
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aws 


Sc AWS Cloud 


| Interface 
| | Endpoint 


©) Gateway | 
OS Endpoint | 


PrivateLink Amazon S3 
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Lambda in VPC accessing DynamoDB 


e DynamoDB is a public service El AWS Cloud 
from AWS 
Public subnet 
e Option l: Access from the public 
internet 


e Because Lambda is in a VPC, it 
needs a NAT Gateway in a public 
subnet and an internet gateway 


* Option 2 (better & free): Access : VPC Gateway Endpoint 


from the private VPC network For DynamoDB 
* Deploy a VPC Gateway endpoint 
for DynamoDB 


* Change the Route Tables 
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VPC Flow Logs 


* Capture information about IP traffic going into your interfaces: 
e VPC Flow Logs 
“ Subnet Flow Logs 
* Elastic Network Interface (ENT) Flow Logs 


(ij) 


* Helps to monitor & troubleshoot connectivity issues 
* Flow logs data can go to 53, CloudWatch Logs, and Kinesis Data Firehose 


* Captures network information from AWS managed interfaces too: ELB, 
RDS, ElastiCache, Redshift, WorkSpaces, NAT GWV, Transit Gateway... 
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PC Flow Logs 
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NAT Gateway 
Security Group 
Public EC2 Instance 
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VPC Flow Logs 


VPC Peer 
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VPC Flow Logs Syntax 


version interface-id dstaddr dstport packets start action 


2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK 


2 123456789010 eni-1235b8ca123456789 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK 


account-id srcaddr srcport protocol bytes end log-status 


* srcaddr & dstaddr — help identify problematic IP 

* srcport & dstport — help identity problematic ports 

* Action — success or failure of the request due to Security Group / NACL 
* Can be used for analytics on usage patterns, or malicious behavior 

e Query VPC flow logs using Athena on 53 or Cloud Watch Logs Insights 


* Flow Logs examples: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs- 
records-examples.htm! 
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VPC Flow Logs — Troubleshoot SG & NACL issues 


Look at the “ACTION” field 


Incoming Requests Outgoing Requests 
* Inbound REJECT => NACL or SG * Outbound REJECT => NACL or SG 
“ Inbound ACCEPT, Outbound REJECT => * Outbound ACCEPT, Inbound REJECT => 
NACL NACL 
|| I & | 
Ofe Subnet NOT Subnet 
NACL Inbound | | SG Inbound Security Group NACL Outbound | | SG Outbound Security Group 
Rules | | Rules Rules | Rules 
— iE i ag — = +: = 
Sa e ! 
BH iJ H iJ 
NACL Outbound THER a ed NACL Inbound  : l Inbound Allowed 
Rules (Stateless); | (stateful) EC2 Instance Rules (Stateless) ` WEE EC2 Instance 
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VPC Flow Logs — Architectures 
E tSv | > Top-10 IP addresses 


VPC Flow Logs CloudWatch Logs CloudWatch 
Contributor Insights 


= \/ Metric Filter O A Alert 
Se^" dE 


VPC Flow Logs CloudWatch Logs CW Alarm Amazon SNS 
I | | 
Amazon Amazon 

VPC Flow Logs S3 Bucket Athena QuickSight 
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AWS Site-to-Site VPN E 


* Virtual Private Gateway (VGW) 
e VPN concentrator on the AWS side of the VPN connection 


* VGW is created and attached to the VPC from which you want to create the 
Site-to-Site VPN connection 


* Possibility to customize the ASIN (Autonomous System Number) 


* Customer Gateway (CGW) 


“ Software application or physical device on customer side of the VPN connection 


* https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cew.html# Devices Tested 
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Site-to-Site VPN Connections CC 


VPC 


“ Customer Gateway Device (On-premises) 


* What IP address to use? 


* Public Internet-routable IP address for your Customer 
Gateway device 


s If it's behind a NAT device that's enabled for NAT (Ei: 
traversal (NAT-T), use the public IP address of the NAT 
device 


* Important step: enable Route Propagation for 
the Virtual Private Gateway In the route table 
that Is associated with your subnets 


Customer 
Gateway 


= 
c 

= 
= 
2 


NAT Device 

* If you need to ping your EC2 instances from (CUBE) 
on-premises, make sure you add the ICMP | 
protocol on the inbound of your security 
groups 


Customer 
Gateway = 


(Private IP) 


Server 
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AWS VPN CloudHub 


* Provide secure communication between 
multiple sites, if you have multiple VPN 
connections 


2 
O 
-] 
Tl 
o 
A 
= 
o 
+ 
AJ 


Availability Zone d 
* 


e Low-cost hub-and-spoke model for — . fal Private Subnet 1 ah 
rimary or secondary network connectivity 
ue different locations (VPN only) n 
P 

EC2 Instances 
e [ts a VPN connection so it goes over the , 

public Internet de ja 

Availability Zone 


* To set it up, connect multiple VPN RH Private Subnet 2 
connections on the same VGW, setup 
dynamic routing and configure route tables Ira 


EC2 Instances 


Gateway 
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Direct Connect (DX) 


e Provides a dedicated private connection from a remote network to your VPC 


CRD 
c 


* Dedicated connection must be setup between your DC and AWS Direct 
Connect locations 


* You need to setup a Virtual Private Gateway on your VPC 
* Access public resources (53) and private (EC2) on same connection 


* Use Cases: 
* Increase bandwidth throughput - working with large data sets — lower cost 
e More consistent network experience - applications using real-time data feeds 
e Hybrid Environments (on prem + cloud) 


“ Supports both IPv4 and IPv6 
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Direct Connect Diagram 


E Region 


Corporate 


data center 


wee eee ee em rm em am rm re aa ee aa rm 


Virtual Pri ate Gateway 


Customer or Customer 
partner router router/firewall 


AWS Direct 
Connect Endpoint 


Io 


EC2 Instances 


Customer or 
partner cage 


AWS Cage 


Customer Network 


Private virtual interface 


Public virtual interface 
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Direct Connect Gateway 


e |f you want to setup a Direct Connect to one or more VPC in many 
different regions (same account), you must use a Direct Connect Gateway 


Region BR Region ! 
(us-east-1) | (us-west-1) | 


Customer network 


10.0.0.0/16 172.16.0.0/16 


| Private virtual 
interface 


Private virtual 
interface 


Private virtual AWS Direct 
interface Con nect 


connection 


Direct Connect Gateway 
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Direct Connect — Connection Types 


e Dedicated Connections: | Gbps,10 Gbps and 100 Gbps capacity 
* Physical ethernet port dedicated to a customer 
* Request made to AWS first, then completed by AWS Direct Connect Partners 


e Hosted Connections: 50Mbps, 500 Mbps, to 10 Gbps 
* Connection requests are made via AWS Direct Connect Partners 
* Capacity can be added or removed on demand 
e |, 2,5, 10 Gbps available at select AWS Direct Connect Partners 


* | ead times are often longer than | month to establish a new connection 
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Direct Connect — Encryption 


Region 


e Data in transit is not encrypted but Is (us-east-1) 
private | 


i 
SE ES E 
» | data center 


e AWS Direct Connect + VPN I" | 
; : ! B i 4 
provides an IPsec-encrypted private | n I Ere 
|; Up | 
connection E m | 


EC2 Instances 


, ; Availability Zone ; | i 
* Good for an extra level of security, | RESUME : (RE 
but slightly more complex to putin | El | | | 
place IE Ka 


EC2 Instances 
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Direct Connect - Resiliency 


High Resiliency for Critical Workloads 


AWS Direct 


AWS Direct 


One connection at multiple locations 
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Corporate 
data center 


D 


Corporate 
data center 


e 


Maximum Resiliency for Critical Workloads 


EEN (OO — — — — — 


Corporate 
data center 


Cok 


AWS Direct 
Connect Location - 1 


Corporate 
data center 


D 


AWS Direct 


I 
I 
I 
I 
I 
I 
I 
[| 
[| 
[| 
I 
I 
I 
[| 
[| B 
1 Connect Location - 2 


Maximum resilience is achieved by separate connections 


terminating on separate devices in more than one location. 
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Site-to-Site VPN connection as a backup 


* In case Direct Connect fails, you can set up a backup Direct Connect 
connection (expensive), or a Site-to-Site VPN connection 


QT AWS Cloud 


es Direct Connect 
dh 


ma WA Primary Connection 


Corporate DC mang Site-to-Site VPN 
KA Backup Connection 
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Network topologies can become complicated 


VPN Connection 
te 
Kä 
Customer Gateway Amazon VPC 
PN Connection . 
Ss €> VPC Peering 


Kä 


Kë 


VPN Connection 
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Connection 


Amazon VPC 


VPC Peering 
Connection 


a 


SE 
GES 


VPC Peering 
Sonnection 


CB) 


Ca 


SC 
GES 


VPC Peering 
Connection 


Amazon VPC 


c3 VPC Peering 
Connection 


Amazon VPC 


Direct Connect 
Gateway 
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Transit Gateway ee 


* For having transitive peering between thousands of VPC and e 
on-premises, hub-and-spoke (star) connection AWS Direct 


Connect Gateway 


* Regional resource, can work cross-region 


“ Share cross-account using Resource Access Manager (RAM) 


* You can peer Transit Gateways across regions 
* Route lables: limit which VPC can talk with other VPC 


* Works with Direct Connect Gateway, VPN connections 


Amazon VPC Amazon VPC 


“ Supports IP Multicast (not supported by any other AWS 


service) Amazon VPC | Amazon VPC 


u105'sn(nuuno9e1ep'MMWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


Customer Gateway 
© Stephane Maarek 


Transit Gateway: Site-to-Site VPN ECMP 


* ECMP = Equal-cost multi-path 
routing 


* Routing strategy to allow to 
forward a packet over multiple 
best path 


* Use case: create multiple Site- 
to-Site VPN connections to 
increase the bandwidth of your 
connection to AWS 


ate data cen 
172.16.0.0/16 


ter 
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Transit Gateway: throughput with ECMP 
VPN to virtual private gateway VPN to transit gateway 


< 

1x Gei 1.25 Gbps 1x [9] 
eC» 

2x [$] = 5.0 Gbps (ECMP) 
< 
Is 


= 2.5 Gbps (ECMP) - 2 tunnels used 


= 7.5 Gbps (ECMP) 


O; VPN connection 
[*] (2 tunnels) 
+$$ per GB of TGW 


processed data 
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Transit Gateway — Share Direct Connect 
between multiple accounts 


SO AWS Cloud 
Na”) 


Corporate 


data center 


i i Clients Clients 
Transit VIF | ER | VLAN D 
KAE ANNA TAG AN Transit Direct AWS Direct | Customer 


m—-—--------------- 


router/firewall 


i Gatéway oninect | Connect endpoint 
| || 


55E 


AWS Direct Servers 
Connect Location 


You can use AWS Resource Access Manager to share Transit 
Gateway with other accounts. 


u105'sn(nuunoe1ep'MAWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


VPC — Trafic Mirroring eo 


* Allows you to re and inspect network 
traffic in your VP 

* Route the traffic to security appliances that oe Y = NIN 
you Manage Outbound traffic din 


traffic 


* Capture the traffic 
* From (Source) — ENIS 
* To (Targets) — an ENI or a Network Load Balancer 


* Capture all packets or capture the packets of (filter traffic, optiohal) 
your interest (optionally, truncate packets) a NE eae 
na 


e Source and Target can be in the same VPC or Balancer 
different VPCs Wine Peering) | | 
* Use cases: content inspection, threat 3 | "E. "EME 


LJ 
CE 


monitoring, troubleshooting, ... ! (^ 


EC2 instances with Security Appliances 
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What is IPv6! 


* IPv4 designed to provide 4.5 Billion addresses (they'll be exhausted soon) 


e |Pv6 is the successor of IPv4 

* |Pv6 is designed to provide 3.4 x 1028 unique IP addresses 

* Every IPv6 address is public and Internet-routable (no private range) 

e Format =D XXXXXXXxX (x is hexadecimal, range can be from 0000 to ffff) 


* Examples: 

200 | :db8:3333:4444:5555:6666:/777:8888 

200 | :db8:3333:4444:cccc:dddd:eeee fff 

: => all 8 segments are zero 

2001:db8: => the last 6 segments are zero 

:1234:5678 = the first 6 segments are zero 
2001:db8::1234:5678 => the middle 4 segments are zero 
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IPv6 in VPC 


e IPv4 cannot be disabled for your VPC and 


subnets 


e You can enable IPv6 (they're public IP addresses) 
to operate in dual-stack mode 


e Your EC instances will get at least a private 
internal IPv4 and a public IPv6 


e They can communicate using either IPv4 or IPv6 
to the internet through an Internet Gateway 
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TL Internet 


det Internet 


| IPv4 & IPV6 


i. 


EC2 Instance 
(Private IP: 10.0.0.5) 
(IPv6: 2001:db8::ff00:42:8329) 
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IPv6 Troubleshooting 


User 
* IPv4 cannot be disabled for your VPC À 
and subnets 


“ So, If you cannot launch an EC2 instance 
IN your subnet 


create 


VPC 


* It's not because it cannot acquire an IPv6 (IPv4: 192.168.0.0/24) 


(the space is very large) (IPv4: 10.0.0.0/24) 
(IPv6: 2001:db8:1234:5678::/56) 


e It's because there are no available IPv4 in 


your subnet ir B: 


192.168.0.10 192.168.0.15 


e Solution: create a new IPv4 CIDR in B: 
your subnet 10.0.0.35 
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-gress-only Internet Gateway 


* Used for IPv6 only 
* (similar to a NAT Gateway but for IPv6) 


e Allows instances in your YPC outbound 
connections over IPv6 while preventing 
the internet to initiate an IPv6 connection 
to your instances 


* You must update the Route lables 
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Internet Egress-only 
Gateway Internet Gateway 
-" a 


IPv6: 2001:db8::b1c2 IPv6: 2001:db8::e1c3 


LOT SNINUNIE}EP MMM jaleen uey 


Route Table 


IPv6 Routing 
A E m C E E ee (Public Subnet) 


! 10.0.0.0/16 local 

| 2001:db8:1234:1a00::/56 local 
(IPv4: 10.0.0.0/16) NAT Gateway NES 
(IPv6: 2001:db8:1234:1a00::/56) (IPv4) 0.0.0.0/0 igw-id 

| ::/0 igw-id 


Public Subnet « 
(IPv4: 10.0.0.0/24) EIP: 198.51.100.1 pp 
(IPv6: 2001:db8:1234:1a00::/64) 4 

Private IPv4: 10.0.0.5 i E 
EIP: 198.51.100.1 


IPv6: 2001:db8:1234:1a00::123 Web server 


mM. 


Internet 
Gateway TL Internet 


(IPvA ema 
Route Table 


Egress-only (Private Subnet) 


pienet Gateway 


(IPv6) 


el Private Subnet 
(IPv4: 10.0.1.0/24) 
(IPv6: 2001:db8:1234:1a02::/64) 


Private IPv4: 10.0.1.5 
IPv6: 2001:db8:1234:1a02::456 


10.0.0.0/16 local 
Server 

| 2001:db8:1234:1a00::/56 local 

| 0.0.0.0/0 nat-gateway-id 


::/0 


eigw-id 
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VPC Section Summary (1/3) 


e CIDR — IP Range 

e VPC — Virtual Private Cloud => we define a list of IPv4 & IPv6 CIDR 

e Subnets — tied to an AZ, we define a CIDR 

* Internet Gateway — at the VPC level, provide IPv4 & IPv6 Internet Access 


e Route Tables — must be edited to add routes from subnets to the IGW,VPC Peering 
Connections, VPC Endpoints, ... 


* Bastion Host — public EC2 instance to SSH into, that has SSH connectivity to EC2 
instances In private subnets 

* NAT Instances — KE Internet access to EC2 instances in private subnets. Old, must 
be setup in a public subnet, disable Source / Destination check flag 


* NAT Gateway — managed by AWS, provides scalable Internet access to private EC2 
instances, IPv4 only 
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VPC Section Summary (2/3) 


e Sa — stateless, subnet rules for inbound and outbound, don't forget Ephemeral 
orts 


e Security Groups — stateful, operate at the EC2 instance level 
e VPC Peering — connect two VPCs with non overlapping CIDR, non-transitive 


* VPC Endpoints — provide private access to AWS Services (53, DynamoDB, 
CloudFormation, SSM) within aVPC 


* VPC Flow Logs — can be setup at the VPC / Subnet / ENI Level, for ACCEPT and 
Sec traffic, helps identifying attacks, analyze using Athena or CloudWatch Logs 
nsignts 


° Site-to-Site VPN — setup a Customer EE on DC, a Virtual Private Gateway on 
VPC, and site-to-site VPN over public Interne 


e AWSVPN CloudHub — hub-and-spoke VPN model to connect your sites 
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VPC Section Summary (3/3) 


* Direct Connect — setup a Virtual Private Gateway on VPC, and establish a 
direct private connection to an AWS Direct Connect Location 


e Direct Connect Gateway — setup a Direct Connect to many VPCs in different 
AWS regions 


e AWS PrivateLink / VPC Endpoint Services: 


* Connect services privately from your service VPC to customers VPC 
* Doesn't need VPC Peering, public Internet, NAT Gateway, Route Tables 
e Must be used with Network Load Balancer & ENI 


e ClassicLink — connect EC2-Classic EC? instances privately to your VPC 
* Transit Gateway — transitive peering connections for VPC, VPN & DX 
s Traffic Mirroring — copy network traffic from ENls for further analysis 

* Egress-only Internet Gateway — like a NAT Gateway, but for IPv6 
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Networking Costs in AWS per GB - Simplified 


Se | B E : * Use Private IP 
| instead of Public 


Free fo trafficin Q | | | | | | | IP for good 
| | ` ` || savings and 


ree if usin | | | MEM i ot 
Em ME a | better network 


socii | $0.02 | || performance 
EECH pem | | 


| errem | | |. * Use same AZ for 
| oss E | |o | maximum savings 
E A ERREUR: see (at the cost of 
SE high availability) 


I || H l | 
| Availability Zone i | Availability Zone | Availability Zone 
| | | i i ; | 
|| 1 l 


Public IP / Elastic IP 
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Minimizing egress traffic network cost 


* Egress traffic: outbound 
traffic (from AWS to 


Egress cost is high 


O utside) QT AWS Cloud Corporate data center 
* Ingress traffic: inbound DB Query Stee 
traffic - from outside to 100 MB 50 KB 
AWS (typically free) —_ 
* Try to keep as much ani Application 
internet traffic within 
AWS to minimize costs Egress cost is minimized 
° Direct Connect location QT AWS Cloud Corporate data center 


that are co-located in 
the Same AWS Re lon Query Results 


à DB Query 
result in lower cost for = 100 ME 50 KB 
egress network 


Database Application 
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53 Data Transfer Pricing — Analysis for USA 
* 53 ingress: free D internét 


e S3 to Internet: $0.09 per GB 


e 53 Transfer Acceleration: $0.09 
e Faster transfer times (50 to 500% better) 


e Additional cost on top of Data Transfer ; 
Pricing: +$0.04 to $0.08 per GB aM Transfer acceleration «$0.04 AS 
* S3 to CloudFront: $0.00 per GB Eo FEH deg? 


Edge | i 
e CloudFront to Internet: $0.085 per GB | ge location 


(slightly cheaper than 53) 
* Caching capability (lower latency) G $0.00 


e Reduce costs associated with S3 Requests 
Pricing (/K cheaper with CloudFront) 


: CloudFront 
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e 53 Cross Region Replication: $0.02 per GB Ee 
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Pricing: 
NAT Gateway vs Gateway VPC pan 


Region 
(us-east-1) | 
VPC $0.045 NAT Gateway / hour 
(10.0.0.0/16) $0.045 NAT Gateway data processed / GB 
$0.09 Data transfer out to S3 (cross-region) 


Subnet 1 route table 


Destinati ! i i | i 
Le | vate subnets Public subnet $0.00 Data transfer out to S3 (same-region) 


(10.0.0.0/24) 


10.0.0.0/16 Local 


0.0.0.0/0 igw-id i —— Cal — Ta, 


EC2 Instance VPC Endpoint S3 Bucket | region) 


| EC2 Instance NAT Gateway Internet 
Subnet 2 route table Gatéway | Internet 
| | Ey Private subnet 2 MEM A | 
10.0.0.0/16 Local (10.0.1.0/24) i | 
pl-id for vpce-id | | . ; 
Amazon S3 | — N | No cost for using Gateway Endpoint. 
| : $0.01 Data transfer in/out (same- 
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Network Protection on AWS 


* To protect network on AWS, we ve seen 
“ Network Access Control Lists (NACLs) 
e Amazon VPC security groups 
e AWS WAF (protect against malicious requests) 
e AWS Shield & AWS Shield Advanced 
e AWS Firewall Manager (to manage them across accounts) 


* But what if we want to protect in a sophisticated way our entire VPC? 
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AWS Network Firewall 


Protect your entire Amazon VPC 


From Layer 3 to Layer / protection 


Any direction, you can inspect 
e VPC to VPC traffic 
* Outbound to internet 
e Inbound from internet 
e [o/from Direct Connect & Site-to-Site VPN 


Internally, the AVVS Network Firewall uses 
the AWS Gateway Load Balancer 


Rules can be centrally managed cross- 
account vi AWS Firewall Manager to apply 
to many VPCs 
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Network Firewall — Fine Grained Controls T. 


e Supports 1000s of rules 
e IP & port - example: |0,000s of IPs filtering 
* Protocol — example: block the SMB protocol for outbound communications 


e Stateful domain list rule groups: only allow outbound traffic to *.mycorp.com or third-party 
software repo 


* General pattern matching using regex 
* Traffic filtering: Allow, drop, or alert for the traffic that matches the rules 


* Active flow inspection to protect against network threats with intrusion-prevention 
capabilities (like Gateway Load Balancer, but all managed by AWS) 


e Send logs of rule matches to Amazon 53, CloudWatch Logs, Kinesis Data Firehose 
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Disaster Recovery & Migrations 
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Disaster Recovery Overview 


e Any event that has a negative impact on a company’s business continuity 
or finances Is a disaster 


“ Disaster recovery (DR) Is about preparing for and recovering from a 
disaster 


* What kind of disaster recovery? 
* On-premise => On-premise: traditional DR, and very expensive 
* On-premise => AWS Cloud: hybrid recovery 
e AWS Cloud Region A => AWS Cloud Region B 


* Need to define two terms: 
e RPO: Recovery Point Objective 
e RTO: Recovery Time Objective 
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RPO and RIO 


Data loss Downtime 


| | 


RPO Disaster RTO 
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Disaster Recovery Strategies 


“ Backup and Restore 

* Pilot Light 

* Warm Standby 

* Hot Site / Multi Site Approach 


Faster RTO 


| 
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AWS Multi Region 


Backup and Restore (High RPO) 


Corporate data GET AWS Cloud 
center 


AE) AWS Cloud 


Amazon EC2 


Amazon S3 


Glacier 


212499} 


AWS Snowball 


Scheduled regular 
snapshots 


= 
Redshift M uS 


Snapshot 


R A 
CE) 
KN 


Amazon RDS 


RDS REX 
kK N 
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Disaster Recovery — Pilot Light 


e A small version of the app is always running in the cloud 

* Useful for the critical core (pilot light) 

e Very similar to Backup and Restore 

* Faster than Backup and Restore as critical systems are already up 


Corporate data EE AWS Cloud 


coner Route 53 


EC2 (not running) 


C] Data Replication 


RDS (running) 
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Warm Standby 


* Full system is up and running, but at minimum size 


* Upon disaster, we can scale to production load 


Corporate data QT AWS Cloud 
center CS 


" = Route 53 
everse 


: ^ 
S Y | 
ii EC2 Auto Scaling ! failover 
Y (minimum) | 
Master C] Data Replication | 
DB 


RDS Slave (running) 
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Multi Site / Hot Site Approach 


e Very low RTO (minutes or seconds) — very expensive 


* Full Production Scale is running AWS and On Premise 
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Corporate data QT AWS Cloud 


center 


Reverse E 


active active 


(production) 


| 

A Ÿ 

erver EC2 Auto Scaling 
Y 


Masker C] Data Replication 
DB 


RDS Slave (running) 


| failover 
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All AWS Multi Region 
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AWS Cloud 


ELB 


^ 
>the 
Ÿ 


EC2 Auto Scaling 
(production) 


. AWS Cloud 
active 


Route 53 


EC2 Auto Scaling | failover 
(production) | 


Data Replication 


Aurora Global (master) 


Aurora Global (slave) 
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Disaster Recovery | ips 


* Backup 
e EBS Snapshots, RDS automated backups / Snapshots, etc... 
e Regular pushes to S3 / S3 IA / Glacier, Lifecycle Policy, Cross Region Replication 
s From On-Premise: Snowball or Storage Gateway 
High Availability 
* Use Route53 to migrate DINS over from Region to Region 
e RDS Multi-AZ, ElastiCache Multi-AZ, EFS, 53 
* Site to Site VPN as a recovery from Direct Connect 


* Replication 
e RDS Replication (Cross Region), AWS Aurora + Global Databases 
* Database replication from on-premises to RDS 
* Storage Gateway 


* Automation 
e  CloudFormation / Elastic Beanstalk to re-create a whole new environment 
* Recover / Reboot EC2 instances with CloudWatch if alarms fail 
e AWS Lambda functions for customized automations 


* Chaos 


e Netflix has a "simian-army" randomly terminating EC2 
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DMS — Database Migration Service 


* Quickly and securely migrate databases to 
AWS, resilient, self healing 


e The source database remains available 
during the migration 


“ Supports: 


* Homogeneous migrations: ex Oracle to 
Oracle 


* Heterogeneous migrations: ex Microsoft SOL 
Server to Aurora 
e Continuous Data Replication using CDC 


e You must create an EC2 instance to 
perform the replication tasks 
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Ch dmF- CT 


Source DB 


EC2 instance 
Running DMS 


Target DB 
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LMS Sources and largets 


SOURCES: TARGETS: 


e ` | | e On-Premises and EC2 instances 
On-Premises and EC2 instances databases Once Meso cane 


databases: Oracle, MS SQL Server, s 
| MySQL, MariaDB, PostgreSQL, SAP 
MySQL MariaDB, PostgreSQL, See 


MongoDB, SAP DB2 Redshift D DB. $3 
| | * Redshift, DynamoDB, 
Azure: Azure SQL Database e OpenSearch Service 


e Amazon RDS: all including e Kinesis Data Streams 
Aurora LC. 
pache Kafka 
* Amazon 53 e DocumentDB & Amazon Neptune 
e DocumentDB * Redis & Babelfish 
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AWS Schema Conversion lool (SCT) 


* Convert your Databases Schema from one engine to another 

* Example OLTP: (SOL Server or Oracle) to MySQL, PostgreSQL, Aurora 
e Example OLAP: (Teradata or Oracle) to Amazon Redshift 

* Prefer compute-intensive instances to optimize data conversions 


Source DB DMS + SCT Target DB (different engine) 


“ You do not need to use SCT if you are migrating the same DB engine 
* Ex: On-Premise PostgreSQL => RDS PostgreSQL 
* The DB engine is still PostgreSQL (RDS is the platform) 
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UJ 


DMS - Continuous Replication 


Corporate data center 


Private Subnet 


C] Data migration MySQL 
Full load + 
a MS 


Oracle DB Amazon RDS 
(source) AWS DMS for MySQL DB 
Replication (target) 


E Instance 


Server with 


AWS SCT installed 
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AWS DMS — Multi-AZ Deployment 


e When Multi-AZ Enabled, DMS 


provisions and maintains a RH AWS Region | 
synchronously stand replica Ina — |; : pues cede 4 

; i | Availability Zone -A  : ı Availability Zone-B 1 | 
different AZ t | 


e ' | | | synchronous | | | 
Advantages: | | | SEN | ELTE: | 
* Provides Data Redundancy E | | | 


DMS Replication DMS Replication 
Instance Instance 


* Minimizes latency spikes E | aM uM EET 


e Eliminates |/O freezes 
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RDS & Aurora MySQL Migrations 
e RDS MySQL to Aurora MySQL ee JI | 
e Option I: DB Snapshots from RDS MySQL restored as E E 


MySQL Aurora DB 

* Option 2: Create an Aurora Read Replica from your RDS l mazon 
MySQL, and when the replication lag is 0, promote it as its me hese Ropes > Aurora 
own DB cluster (can take time and cost $) = = 


* External MySQL to Aurora MySQL 


Percona 


“puan | XtraBackup import [Amazon 
e Use Percona XtraBackup to create a file backup in Amazon 53 de ee Pur 
* Create an Aurora MySQL DB from Amazon 53 z 


* Option 2: 
* Create an Aurora MySOL DB 


* Use the mysqldump utility to migrate MySQL into Aurora Amazon 
(slower than 53 method) iun mysqldump |" 
e Use DMS if both databases are up and running = 
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RDS & Aurora PostgreSQL Migrations 


PostgreSQL O Amazon 
e RDS PostgreSQL to Aurora PostgreSQL | | S -ÿ Fe 
e Option I: DB Snapshots from RDS PostgreSQL restored 
as PostgreSQL Aurora DB 
* Option 2: Create an Aurora Read Replica from your RDS E Read Replica ü | 
PostgreSQL, and when the replication lag is O, promote it = ` = 


as its own DB cluster (can take time and cost $) 


* External PostgreSQL to Aurora PostgreSQL l'E backup G =— Fe 


* Create a backup and put it in Amazon 53 
* Import it using the aws_s3 Aurora extension 


e Use DMS if both databases are up and running 
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On-Premise strategy with AWS 


e Ability to download Amazon Linux 2 AMI as a VM (iso format) 
e VMWare, KVM, VirtualBox (Oracle VM), Microsoft Hyper-V 


e VM Import / Export 
e Migrate existing applications into EC2 
* Create a DR repository strategy for your on-premises VMs 
* Can export back the VMs from EC2 to on-premises 


AWS Application Discovery Service 

* Gather information about your on-premises servers to plan a migration 

e Server utilization and dependency mappings 

* Track with AWS Migration Hub 
AWS Database Migration Service (DMS) 

* replicate On-premise => AWS , AWS => AWS, AWS => On-premise 

e Works with various database technologies (Oracle, MySQL, DynamoDB, etc.) 
AWS Server Migration Service (SMS) 


* Incremental replication of on-premises live servers to AWS 
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AVVS Backup 


* Fully managed service 
* Centrally manage and automate backups across AWS services 
* No need to create custom scripts and manual processes 
“ Supported services: 
e Amazon EC2 / Amazon EBS 
* Amazon 53 
e Amazon RDS (all DBs engines) / Amazon Aurora / Amazon DynamoDB 
“ Amazon DocumentDB / Amazon Neptune 
e Amazon EFS / Amazon FSx (Lustre & Windows File Server) 
e AWS Storage Gateway (Volume Gateway) 


“ Supports cross-region backups 
“ Supports cross-account backups 
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Je 
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AVVS Backup 


“ Supports PITR for supported services 
e On-Demand and Scheduled backups 
e Tag-based backup policies 


“ You create backup policies known as Backup Plans 
e Backup frequency (every 12 hours, daily, weekly, monthly, cron expression) 
* Backup window 
* Transition to Cold Storage (Never Days, Weeks, Months, Years) 
* Retention Period (Always, Days, Weeks, Months, Years) 
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AWS Backup 


Create Backup Plan 


RDS DynamoDB DocumentDB 


Automatically 


policy) 


AWS Backup 


Aurora Neptune 


Storage 
Gateway 


FSx 


CR 


|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
i 
(frequency, retention | 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
|| 
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backed up to 


Amazon S3 
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AWS Backup Vault Lock 


e Enforce a WORM (Write Once Read Many) 
state for all the backups that you store in 


your AWS Backup Vault backup 


* Additional layer of defense to protect your 
backups against: 
* Inadvertent or malicious delete operations 
* Updates that shorten or alter retention periods 


Backup Vault Lock Policy 
Backups can’t be deleted 


* Even the root user cannot delete backups A 
when enabled 


T 
= 
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AWS Application Discovery Service 


* Plan migration projects by gathering information about on-premises data centers 


e Server utilization data and dependency mapping are important for migrations 


* Agentless Discovery (AWS Agentless Discovery Connector) 
e VM inventory, configuration, and performance history such as CPU, memory, and disk usage 


* Agent-based Discovery (AWS Application Discovery Agent) 


e System configuration, system performance, running processes, and details of the network 
connections between systems 


* Resulting data can be viewed within AWS Migration Hub 
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AWS Application Migration Service (MGN) 


e The “AWS evolution" of CloudEndure Migration, replacing AWS Server Migration Service (SMS) 


e Lift-and-shift (rehost) solution which simplify migrating applications to AWS 

* Converts your physical, virtual, and cloud-based servers to run natively on AWS 
e Supports wide range of platforms, Operating Systems, and databases 

e Minimal downtime, reduced costs 


Corporate Data Center / Any cloud 


continuous replication 


AWS Replication 


Agent . 
Low-cost EC2 instances i Target EC2 instances 


& EBS volumes & EBS volumes 
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VMware Cloud on AWS G 


e Some customers use VMware Cloud to manage their on-premises Data Center 
* They want to extend the Data Center capacity to AWS, but keep using the VMware Cloud software 
s ...Enter VMware Cloud on AWS 


* Use cases 
e Migrate your VMware vSphere-based workloads to AWS 
* Run your production workloads across VMware vSphere-based private, public, and hybrid cloud environments 
* Have a disaster recover strategy 


Customer Data Center SZ AWS Cloud 


HE 


E: 


On-Premises vCenter 
vSphere-based 
environment 
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Transferring large amount of data into AWS 


e Example: transfer 200 TB of data in the cloud. We have a 100 Mbps internet 
connection. 
* Over the internet / Srte-to-Site VPN: 
* Immediate to setup 
e Will take 200(TB)*1000(GB)*1000(MB)*8(Mb)/100 Mbps = 16,000,000s = 185d 
* Over direct connect | Gbps: 
“ Long for the one-time setup (over a month) 
e Will take 200(TB)*|000(GB)*8(Gb)/| Gbps = 1,600,000s = 18.5d 
* Over Snowball: 
* Will take 2 to 3 snowballs in parallel 


* [akes about | week for the end-to-end transfer 
* Can be combined with DMS 


* For on-going replication / transfers: Site-to-Site VPN or DX with DMS or DataSync 


o5'snijnuin2e3ep"MMM »[oJee|A eueudeis © NOILNAINLSIG 803 LON 


pmo-—————À. | 


© Stephane Maarek 


Extra Solution Architecture 
discussions 
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Lambda, SNS & SOS 


Try, retry 


retries 
(poll) 


SQS + Lambda 


Try, retry N 
Le 
blocking D Qep 


»Q5 FIFO SNS + Lambda 
DLA | SQS FIFO + Lambda 
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Fan Out Pattern: deliver to multiple SQS 


Option 1 Option 2 — Fan Out 


osen a E 
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S3 Event Notifications 


e 53:ObjectCreated, S3:ObjectRemoved, 
S3:ObjectRestore, S3:Replication... 


e Object name filtering possible (*.jpg) 


* Use case: generate thumbnails of images 
uploaded to 53 


* Can create as many “53 events" as desired 


events 


Amazon S3 


e 53 event notifications typically deliver events 
in seconds but can sometimes take a minute 


or longer 
Lambda Function 
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53 Event Notifications 
with Amazon EventBridge 


BEC All events rules |, Over 18 
AWS services 


as destinations 


Amazon S3 Amazon 
bucket EventBridge 


* Advanced filtering options with JSON rules (metadata, object size, name...) 
e Multiple Destinations — ex Step Functions, Kinesis Streams / Firehose... 


* EventBridge Capabilities — Archive, Replay Events, Reliable delivery 


(9 Stephane Maarek 


o»'snijnuin2e3ep"WMM Yleen eueudeis © NOILRSIHISIG 803 LON 


Amazon EventBridge — Intercept API Calls 


DeleteTable API Call 3< 


Log API call 1 event (03 alert 


DynamoDB CloudTrail Amazon 
(any API call) EventBridge 
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API Gateway — AWS Service Integration 
Kinesis Data Streams example 


store .json 
requests -- files 


API Gateway Kinesis Data Kinesis Data 


Client Streams Firehose 
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Amazon S3 
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Caching Strategies 


Redis 
Memcached 
DAX 


B Database 


CloudFront API Gateway App logic 
EC2 / Lambda 


CloudFront (edge) 


Caching, TTL, Network, Computation, Cost, Latency 
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Blocking an IP address 


Security group 


LJ 


C=) NACL 
Client 


EC2 Instance 
Public IP 

+ Optional Firewall 
Software in EC2 
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Blocking an IP address — with an ALB 


ALB Security group EC2 Security group 


LJ 


C=) 
Client 


EC2 Instance 
Application Load Balancer Private IP 


Connection Termination 
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Blocking an IP address — with an NLB 


Passthrough EC2 Security group 


Sees client's IP 


Sees client's IP 


LI 


C=) 
Client 


Network Load Balancer EC2 Instance 
Traffic goes through Private IP 
No Security Group 
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Blocking an IP address — ALB + WAF 


EC2 Security group 


— (.J 


Client 


EC2 Instance 
Private IP 
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Blocking an IP address — ALB, CloudFront WAF 


ALB Security group EC2 Security group 


CloudFront Public IPs Ze 


CloudFront Public ALB EC2 Instance 
Geo Restriction Private IP 


Lei 
Client 


NACL 
NACL not helpful 


WAF 
IP address filtering 
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High Performance Computing (HPC) 


* The cloud is the perfect place to perform HPC 
* You can create a very high number of resources in no time 
* You can speed up time to results by adding more resources 
* You can pay only for the systems you have used 


* Perform genomics, computational chemistry, financial risk modeling, 
weather prediction, machine learning, deep learning, autonomous driving 


* Which services help perform HPC? 
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Data Management & Transfer 


e AWS Direct Connect: 


e Move GB/s of data to the cloud, over a private secure network 


“ Snowball & Snowmobile 
e Move PB of data to the cloud 


e AWS DataSync 


“ Move large amount of data between on-premises and 53, EFS, FSx for Windows 
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Compute and Networking 


e EC2 Instances: 
* CPU optimized, GPU optimized 
e Spot Instances / Spot Fleets for cost savings + Auto Scaling 


e EC2 Placement Groups: Cluster for good network performance 


Placement group 
Same Rack Cluster 

Same AZ Low latency 
10Gbps network 
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Compute and Networking 


e EC2 Enhanced Networking (SR-IOV) 
* Higher bandwidth, higher PPS (packet per second), lower latency 
* Option |: Elastic Network Adapter (ENA) up to 100 Gbps 
e Option 2: Intel 82599 VF up to 10 Gbps — LEGACY 


* Elastic Fabric Adapter (EFA) 
e Improved ENA for HPC, only works for Linux 
e Great for inter-node communications, tightly coupled workloads 
* Leverages Message Passing Interface (MPI) standard 
* Bypasses the underlying Linux OS to provide low-latency, reliable transport 
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Storage 


* Instance-attached storage: 
“ EBS: scale up to 256,000 IOPS with 102 Block Express 
* Instance Store: scale to millions of IOPS, linked to EC2 instance, low latency 


* Network storage: 
“ Amazon S3: large blob, not a file system 
* Amazon EFS: scale IOPS based on total size, or use provisioned IOPS 
e Amazon FSx for Lustre: 


* HPC optimized distributed file system, millions of IOPS 
* Backed by 53 
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Automation and Orchestration 


e AWS Batch 


“ AWS Batch supports multi-node parallel jobs, which enables you to run single 
jobs that span multiple EC2 instances. 


* Easily schedule jobs and launch EC2 instances accordingly 


* AWS ParallelCluster 
* Open-source cluster management tool to deploy HPC on AWS 
e Configure with text files 
* Automate creation of VPC, Subnet, cluster type and instance types 
* Ability to enable EFA on the cluster (improves network performance) 
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Creating a highly available EC2 instance 


T2 monitor 
Attachment 
What time is it? CloudWatch Event 


Public EC2 Noll i (or Alarm based on metric) 


< 


5:30 pm! Elastic IP Address 
T2 Start the instance 
Attach the Elastic IP 


Standby EC2 instance 
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Creating a highly available EC2 instance 
With an Auto Scaling Group 


r----------wwmr----------: 
l SE 
| il i 7 
| ____AutoScalinggroup____ ASG Settings 
Availability Zone 1 ' 1min 
1 max 
1 desired 


T2 >= 2 AZ 


What time is it? EC2 user data to attach 


a 
Q- > Public EC2 ! 1 The Elastic IP 
1— AY fe NE 
5:30 pm! Elastic IP Address pr | EC2 instance role to 
| Allow API calls to attach 
The Elastic IP 


EC2 User Data 


Attachment | ! T2 
Based on Tag : : 


Replacement 
EC2 instance 
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Creating a highly available EC2 instance 
With ASG + EBS 


EBS Snapshot 
On ASG Terminate lifecycle hook 


What time is it? 


E 


s OQ 


5:30 pm! Elastic IP Address 


Availability Zone 2 


| : = EBS Snapshot 
M C t tags 

EC2 User Data | r 

Attachment T2 Æ ` | 

Based on Tag [| | 


rri 


BS Volume created + attached 


EBS On ASG Launch lifecycle hook 


Replacement | 
EC2 instance | 
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Other Services 


Overview of Services that might come up in a few questions 
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What is CloudFormation 


e CloudFormation is a declarative way of outlining your AWS 
Infrastructure, for any resources (most of them are supported). 


* For example, within a CloudFormation template, you say: 
* | want a security group 
* | want two EC2 instances using this security group 
* | want an 53 bucket 
* | want a load balancer (ELB) in front of these machines 


* [hen CloudFormation creates those for you, in the right order, with the 
exact configuration that you specify 


o5'snjnuin2e3ep"WMM »[oJee|A eueudeis © NOILNAINLSIG 803 LON 


(9 Stephane Maarek 


Benefits of AWS CloudFormation (1/2) 


e Infrastructure as code 
* No resources are manually created, which is excellent for control 
* Changes to the infrastructure are reviewed through code 


e Cost 


* Each resources within the stack is tagged with an identifier so you can easily see how 
much a stack costs you 


* You can estimate the costs of your resources using the CloudFormation template 


e Savings strategy: In Dev, you could automation deletion of templates at 5 PM and 
recreated at 8 AM, safely 
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Benefits of AWS CloudFormation (2/2) 


* Productivity 
* Ability to destroy and re-create an infrastructure on the cloud on the fly 
e Automated generation of Diagram for your templates! 
* Declarative programming (no need to figure out ordering and orchestration) 


e Dont re-invent the wheel 
* | everage existing templates on the web! 
* | everage the documentation 


“ Supports (almost) all AWS resources: 
* Everything we'll see in this course is supported 
* You can use "custom resources" for resources that are not supported 
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CloudFormation Stack Designer 


e Example: WordPress 
CloudFormation Stack 


e We can see all the resources 


* VVe can see the relations 
between the components 
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Amazon Simple Email Service (Amazon SES) (SI 


* Fully managed service to send emails securely, globally and at scale 


e Allows inbound/outbound emails BA Users 
* Reputation dashboard, performance insights, anti-spam feedback a 


* Provides statistics such as email deliveries, bounces, feedback loop 
results, email open 


bulk emails 


e Supports DomainKeys Identified Mail (DKIM) and Sender Policy 
Framework (SPF) 
* Flexible IP deployment: shared, dedicated, and customer-owned IPs 
Amazon SES 


APIs 
or SMTP 


e Send emails using your application using AWS Console, APIs, or SMTP | 


* Use cases: transactional, marketing and bulk email communications 
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Amazon Pinpoint 


Scalable 2-way (outbound/inbound) marketing 
communications service 


Supports email, SMS, push, voice, and in-app messaging 
Ability to segment and personalize messages with the 
right content to customers 

Possibility to receive replies 

Scales to billlons of messages per day 


Use cases: run campaigns by sending marketing, bulk, 
transactional SMS messages 


Versus Amazon SNS or Amazon SES 
“ In SNS & SES you managed each message's audience, 
content, and delivery schedule 
e |n Amazon Pinpoint, you create message templates, 
delivery schedules, highly-targeted segments, and full 
campaigns 
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&9 ES 
KT sus 
Customers 


Amazon 
Pinpoint 


stream events 
(e.g., TEXT_SUCCESS, 
TEXT_ 


DELIVERED, ...) 


Kinesis Data 
Firehose 


CloudWatch 
Logs 
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Systems Manager — SSM Session Manager 


* Allows you to start a secure shell on your EC2 and — 
on-premises servers (SSM Agent) 


Execute 
* No SSH access, bastion hosts, or SSH keys needed Ge 
* No port 22 needed (better security) GS — 
e Supports Linux, macOS, and Windows 
e Send session log data to S3 or CloudWatch Logs d 


Permissions 
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Systems Manager — Run Command 


“ Execute a document (= script) or just run a 
command 


e Run command across multiple instances 
(using resource groups) 


“ No need for SSH 
e Command Output can be shown in the AWS 


A EventBridge 


| trigger 


Console, sent to 53 bucket or CloudWatch 
Logs Amazon S3 | 

“ Send notifications to SNS about command Run Command 
status (In progress, Success, Failed, ...) 3 | 

* Integrated with IAM & CloudTrail CloudWatch ; 

“ Can be invoked using EventBridge ES LJ LJ 


EC2 Instances EC2 Instances 
(with SSM Agent) (with SSM Agent) 
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2 
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Systems Manager — Patch Manager e A : 
e Automates the process of patching managed — L1... | > 
Instances o | : : 5 

e OS updates, applications updates, security ! AWS Console AWSSDK Maintenance | © 
updates MER à 

“ Supports EC2 instances and on-premises an = 
servers AWS-RunBatchBaseline z 

e Supports Linux, macOS, and Windows se i 
* Patch on-demand or on a schedule using un conan : 
Maintenance Windows | = 

“ Scan instances and generate patch compliance | | S 
report (missing patches) (re (re 3 
EC2 Instances EC2 Instances a 

(with SSM Agent) (with SSM Agent) 9 
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Systems Manager — Maintenance Windows 


* Defines a schedule for when to perform actions on your instances 
* Example: OS patching, updating drivers, installing software, ... 


e Maintenance Window contains 


e Schedule 
* Duration 
e Set of registered instances 
e Set of registered tasks (re 
EC2 Instances 
trigger every 24 hour = (with SSM Agent) 
Maintenance Windows © Run Command Ira 


EC2 Instances 
(with SSM Agent) 
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Systems Manager - Automation 


“ Simplifies common maintenance and 


deployment tasks of EC2 instances and other 
A ou Op EJ E 


EA AWS SDK Maintenance Amazon AWS Config ' 


e Examples: restart instances, create an AMI, | Windows EventBridge Remediation | 
EBS snapshot EEE DT 
execute automation 
e Automation Runbook — SSM EE to (AWS-RestartEC2Instance) 
define actions preformed on your E 
instances or AWS resources (s re- b. Or B 
custom) 
e Can be triggered using: a a CO DO 


e Manually using AWS Console, AWS CLI or SDK 
* Amazon EventBridge 
e On a schedule using Maintenance Windows 
* By AWS Config for rules remediations m 
L [ 


AWS Resources 


RKA 
Gn 


RDS 


EC2 Instances 
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Cost Explorer M 


e Visualize, understand, and manage your AWS costs and usage over time 

* Create custom reports that analyze cost and usage data. 

* Analyze your data at a high level: total costs and usage across all accounts 
e Or Monthly, hourly, resource level granularity 

* Choose an optimal Savings Plan (to lower prices on your bill) 

* Forecast usage up to 12 months based on previous usage 
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Cost Explorer — Monthly Cost by AWS Service 


= 

Ó 

A 

4 

& Monthly costs by service a FILTERS CLEAR ALL À 

Last 6 Months v Monthly v lin Stack v Service Include only + e 

e = 

Group by: Service Linked Account Region Usage Type Tag * API Operation Availability Zone More v © 
Linked Account 

Costs ($ in thousands) Gg 2 

1.4 egion © 

1.2 Instance Type o 

et 

10 Usage Type (D 

© 

dos Usage Type Group > 

DI 

0.6 Tag 3 

S API Operation Z 

i 

o2 < 

Charge Type bh 

0.0 DI 

Oct 2018 Nov 2018 Dec 2018 Jan 2019 Feb 2019 Mar 2019 More filters + a 

Hl t2.micro MW c4.2Klarge MW m3.large M m4.large Wilic4.large [MM Others ^ 

a ADVANCED OPTIONS e s 

Download CSV Show costs as 6 = 

Unblended costs v s 

Instance Type Oct 1, 2018 Nov 1, 2018 Dec 1, 2018 Jan 1, 2019 CR S o. 

Include costs related to LT 

Total cost ($) 1,312.71 1,328.54 1,125.99 1,129.65 O Show only untagged resources + 

t0 

t2.micro ($) 486.75 475.89 405.63 409.27 e 

c4.2xlarge ($) 296.11 286.56 296.11 296.11 3 

c 

c 

o 

o 

S 
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Cost Explorer- Hourly & Resource Level 


Services v Resource Groups v KL A Admin/rosachae-Isengard @ 5.. v Global ~ Support v 
(B) AWS Cost Management > Cost Explorer: Cost & Usage tt, Settings Ov 
a n 
en: © ew repor 
|) Oct 25, 2019 - Oct 27, 2019 v Houryv 6 li; Stack v a FILTERS CLEAR ALL 
R à A Service 
D Group by: Service Linked Account Region Instance Type Usage Type Tag v More v 
Linked Account 
= Costs ($) 
— Region 
9 200 Instance Type 
460 Usage Type 
Usage Type Group 
100 
Resource @ 
50 Tag 
e API Operation 
Oct-25* Oct-26" Oct-27" 


More filters + 


m mo Bio! WI 4-06 EM Others ^. ADVANCED OPTIONS e 


Show costs as @ 
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Cost Explorer — Savings Plan 
Alternative to Reserved Instances 


Recommendation options 


Savings Plans type Savings Plans term Payment option Based on the past 
© Compute O 1-year © All upfront O 7 days 
O EC2 Instance © 3-year O Partial upfront O 30 days 

O No upfront © 60 days 


Recommendation: Purchase a Compute Savings Plan at a commitment of $2.40/hour 


You could save an estimated $1,173 monthly by purchasing the recommended Compute Savings Plan. 


Based on your past 60 days of usage, we recommend purchasing a Savings Plan with a commitment of $2.40/hour for a 3-year term. With 
this commitment, we project that you could save an average of $1.61/hour - representing a 4044 savings compared to On-Demand. To 
account for variable usage patterns, this recommendation maximizes your savings by leaving an average $0.04/hour of On-Demand 


spend. 

Before recommended purchase After recommended purchase (based on your past 60 days of usage) 
Monthly On-Demand spend 6 Estimated monthly spend @ Estimated monthly savings @ 
$2,955 ($4.05/hour) $1,782 ($2.44/hour) $1,173 ($1.61/hour) 

Based on your On-Demand spend over the Your recommended $2 40/hour Savings Plans 40% monthly savings over On-Demand 
past60 days commitment + an average $0.04our of On- $2,955 - $1,782 = $1,173 


Demand spend 


This recommendation examines your usage over the past 60 days (including your existing Savings Plans and EC2 Reserved Instances) and calculates what your 
costs would have been had you purchased the recommended Savings Plans, See applicable rates for Savings Plans here. To generate this recommendation, 
AWS simulates your bill for different commitment amounts and recommends the commitment amount that provides the greatest estimated savings. Learn more 


Recommended Compute Savings Plans Download CSV 


x Term Payment option Recommended CAES hourly savings 
commitment + 
3-year All upfront $2.40/hour $1.61 (40%) 


u105'sn(nuunoe1ep'MAWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


Cost Explorer — Forecast Usage 


Group by: None Service Linked Account Region Instance Type Usage Type Tag“ API Operation Availability Zone More zs 
Costs ($ in thousands) 


25 d 
Jul 2019 : 


WH Costs mean estimate $1,368.57 
20 | 80% Confidence: $1,216.50 - $1,520.64 
WH Usage mean estimate: 11,167.05 Hrs 
80% Confidence: 10,349.27 Hrs - 11,984.84 Hrs 
15 


1.0 


` LC i E 
0.0 


Usage (Hrs in thousands) 
20 


Jan 2019 Feb 2019 Mar 2019 Apr 2019 May 2019 Jun 2019 Jul 2019** Aug 2019** Sep 2019** Oct 2019** 


Wi Costs [| ]Forecast —— 8096 Confidence 


Wil Usage | j]Forecast —— 8096 Confidence 


u105'sn(nuunoe1ep'MAWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


Amazon Elastic Iranscoder Zo 


© 


e Elastic Transcoder is used to convert media files stored in S3 into media 
files in the formats required by consumer playback devices (phones etc..) 


* Benefits: 
* Easy to use 
* Highly scalable — can handle large volumes of media files and large file sizes 
* (Cost effective — duration-based pricing model 
* Fully managed & secure, pay for what you use 


i 9 Lu 


S3 Input bucket Transcoding S3 Output bucket Smartphones, 
Pipeline Tablets, PCs... 
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AWIS Batch 


* Fully managed batch processing at any scale 

e Efficiently run |00,000s of computing batch jobs on AWS 

e A "batch" job is a job with a start and an end (opposed to continuous) 
* Batch will dynamically launch EC2 instances or Spot Instances 

e AWS Batch provisions the right amount of compute / memory 

* You submit or schedule batch jobs and AWS Batch does the rest! 

* Batch Jobs are defined as Docker images and run on ECS 

* Helpful for cost optimizations and focusing less on the infrastructure 
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AWS Batch — Simplified Example 


AWS Batch 


n EC2 Instance 


NEA 
(i3) Spot Instance 
Poe 


Amazon S3 


Trigger 
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Batch vs Lambda 


* Lambda: 
e Time limit 
* Limited runtimes 
* Limited temporary disk space 
* Serverless 


e Batch: 
* No time limit 
e Any runtime as long as it's packaged as a Docker image 
* Rely on EBS / instance store for disk space 
* Relies on EC2 (can be managed by AWS) 


u105'sn(nuun9e1ep'MAWW Y91EE [A] aueydais © NOILNGIYLSIG 401 LON 


© Stephane Maarek 


Amazon AppFlow 


* Fully managed integration service that enables you to securely transfer 
data between Software-as-a-Service (SaaS) applications and AWS 


e Sources: Salesforce, SAP Zendesk, Slack, and ServiceNow 


e Destinations: AW S services like Amazon S3, Amazon Redshift or non- 
ANN such as SnowFlake and Salesforce 


* Frequency: on a schedule, in response to events, or on demand 

* Data transformation capabilities like filtering and validation 

* Encrypted over the public internet or privately over AWS PrivateLink 

* [Dont spend time writing the integrations and leverage APIs immediately 
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White Papers and Architectures 


Well Architected Framework, Disaster Recovery, etc... 
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Section Overview 


e Well Architected Framework Whitepaper 

e Well Architected loo! 

e AWS Trusted Advisor 

* Reference architectures resources (for real-world) 
* Disaster Recovery on AWS Whitepaper 
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Well Architected Framework 
General Guiding Principles 


e https://aws.amazon.com/architecture/well-architected 
e Stop guessing your capacity needs 


* Test systems at production scale 
* Automate to make architectural experimentation easier 


e Allow for evolutionary architectures 
* Design based on changing requirements 


* Drive architectures using data 


* Improve through game days 
“ Simulate applications for flash sale days 
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Well Architected Framework 
6 Pillars 


* |) Operational Excellence 
e 2) Security 

e 3) Reliability 

* 4) Performance Ffficiency 
e 5) Cost Optimization 

* 6) Sustainability 


e They are not something to balance, or trade-offs, they're a syner 
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AWS Well-Architected lool 


* Free tool to review your architectures against the 6 pillars Well-Architected 
Framework and adopt architectural best practices 


* How does it work! 
e Select your workload and answer questions 
* Review your answers against the 6 pillars 
* Obtain advice: get videos and documentations, generate a report, see the results in a dashboard 


e Lets have a look https://console.aws.amazon.com/wellarchitected 


Well-Architected Tool > Workloads 


Workloads 
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Trusted Advisor 


EI 


* No need to install anything — high level Checks 
AWS account assessment 


Amazon EBS Public Snapshots 


Checks the permission settings for your Amazon Elastic | 


e Analyze your AWS accounts and provides D ES sriepshoisareinarkedespubik, 
recommendation on 5 categories 
e Cost opti m zat on Amazon RDS Public Snapshots 
Checks the permission settings for your Amazon Relatio 

e Performance public. 

" O RDS snapshots are marked as public. 
e Security 
e Fault tolerance MR 


This check is intended to discourage the use of root acce 


e Service limits 


At least one IAM user has been created for this account. 
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UJ 


Trusted Advisor — Support Plans 


7 CORE CHECKS 
Basic & Developer Support plan 


FULL CHECKS 
Business & Enterprise Support plan 


e 53 Bucket Permissions 


e Security Groups — Specific Ports 
Unrestricted 


e IAM Use (one IAM user minimum) 
e MFA on Root Account 

e EBS Public Snapshots 

* RDS Public Snapshots 

e Service Limits 
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* Full Checks available on the 5 categories 


e Ability to set Cloud Watch alarms when 
reaching limits 


* Programmatic Access using AWS Support API 
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More Architecture Examples 


e We ve explored the most important architectural patterns: 
* Classic: EC2, ELB, RDS, ElastiCache, etc... 
e Serverless: 55, Lambda, DynamoDB, CloudFront, API Gateway, etc... 


e |f you want to see more AWS architectures: 


e https://aws.amazon.com/architecture/ 
e https//aws.amazon.com/solutions/ 
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State of learning checkpoint 


e Lets look how far we've gone on our learning journey 


e https://aws.amazon.conv/certification/certified-solutions-architect- 


associate/ 
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Practice makes perfect 


* |f youre new to AWS, take a bit of AWS practice thanks to this course 
before rushing to the exam 


* The exam recommends you to have one or more years of hands-on 
experience on AWS 


* Practice makes perfect! 


* |f you feel overwhelmed by the amount of knowledge you just learned, 
just go through it one more time 
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Proceed by elimination 


“ Most questions are going to be scenario based 
* For all the questions, rule out answers that you know for sure are wrong 


* For the remaining answers, understand which one makes the most sense 


* There are very few trick questions 
e Dont over-think it 


e |f a solution seems feasible but highly complicated, it's probably wrong 
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Skim the AWS Whitepapers 


“ You can read about some AWS White Papers here: 
* Architecting for the Cloud: AWS Best Practices 
e AWS Well-Architected Framework 


* AWS Disaster Recovery (https://aws.amazon.com/disaster-recovery/) 


* Overall we've explored all the most important concepts in the course 


e It's never bad to have a look at the whitepapers you think are 
interesting! 
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Read each services FAQ 


* FAQ = Frequently asked questions 
e Example: https://aws.amazon.com/vpc/faqs/ 


* FAC cover a lot of the questions asked at the exam 
* [hey help confirm your understanding of a service 
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Get into the AWS Community 


* Help out and discuss with other people in the course Q&A 
* Review questions asked by other people in the Q&A 


“ Do the practice test in this section 


* Read forums online 

* Read online blogs 

* Attend local meetups and discuss with other AWS engineers 
* Watch re-invent videos on Youtube (AWS Conference) 
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How will the exam work? 


* You'll have to register online at https://www.aws.training/ 

* Fee for the exam is 150 USD 

* Provide one identity documents (ID, Passport, details are in emails sent to you...) 
* No notes are allowed, no pen is allowed, no speaking 

* 65 questions will be asked in | 30 minutes 

* Use the "Flag" feature to mark questions you want to re-visit 

* At the end you can optionally review all the questions / answers 


* To pass you need a score of a least 720 out of 1000 

* You will know within 5 days if you passed / failed the exams (most of the time less) 
* You will know the overall score a few days later (email notification) 

* You will not know which answers were right / wrong 


* |f you fail, you can retake the exam again |4 days later 
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Congratulations! 
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Congratulations! 


* Congrats on finishing the course! 
* | hope you will pass the exam without a hitch © 


* |f you havent done so yet, Id love a review from you! 


* |f you passed, I'll be more than happy to know I've helped 
* Post it In the Q&A to help & motivate other students. Share your tips! 
e Post it on LinkedIn and tag me! 


* Overall, | hope you learned how to use AWS and that you will be a 
tremendously good AWS Solutions Architect 
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